Bug 2141998
| Summary: | systemd-gpt-auto-generator: Failed to dissect: Permission denied | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Gurenko Alex <agurenko> | ||||
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | ||||
| Status: | ASSIGNED --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 37 | CC: | adam, andretiagob, bcygan, dani, decedion, dtardon, dwalsh, elia.f.geretto, fedora, fedoraproject, filbranden, flepied, gnwiii, grepl.miroslav, hugh, itrymybest80, lnykryn, luckispac, lvrabec, mark, mihai, mmalik, msekleta, ncross, ngompa13, nicolast88, omgcao, omosnacek, pkoncity, pmx90, quintinhill, ryncsn, ssahani, s, systemd-maint, vmojzis, yuwatana, zbyszek, zpytela | ||||
| Target Milestone: | --- | Keywords: | Reopened, Triaged | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-37.16-1.fc37 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2023-01-30 17:49:52 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Gurenko Alex
2022-11-11 11:19:05 UTC
Could you run the following command as root and attach gpt-auto-generator.strace here? # strace -y -k -Z -o gpt-auto-generator.strace /usr/lib/systemd/system-generators/systemd-gpt-auto-generator /tmp /tmp /tmp Created attachment 1924180 [details]
strace desktop
Please find strace from my desktop, I have same error on my laptop, let me know if strace from it would help
This is very likely caused by SELinux, moving to selinux-policy. In the meantime, please attach output of "ausearch -ts recent -m avc" after you boot up. Hm, indeed looks like the selinux, but it's does not trigger notifications for some reasons, although I'm getting other selinux alerts. Your query didn't return anything, but there are following records in selinux troubleshooter:
Source Context system_u:system_r:systemd_gpt_generator_t:s0
Target Context system_u:system_r:systemd_gpt_generator_t:s0
Target Objects Unknown [ capability ]
Source systemd-gpt-aut
Source Path systemd-gpt-aut
Port <Unknown>
Host wasp-blackquiet.hive
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch
Local Policy RPM selinux-policy-targeted-37.12-2.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name wasp-blackquiet.hive
Platform Linux wasp-blackquiet.hive 6.0.8-300.fc37.x86_64
#1 SMP PREEMPT_DYNAMIC Fri Nov 11 15:09:04 UTC
2022 x86_64 x86_64
Alert Count 18
First Seen 2022-10-27 13:26:39 CEST
Last Seen 2022-11-13 19:52:00 CET
Local ID e176615b-257c-484c-badf-ac55d4700fce
Raw Audit Messages
type=AVC msg=audit(1668365520.248:393): avc: denied { sys_admin } for pid=16141 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=capability permissive=0
Hash: systemd-gpt-aut,systemd_gpt_generator_t,systemd_gpt_generator_t,capability,sys_admin
This broke auto creation of mount units for other file systems upon upgrade to Fedora 37 for me. Hopefully https://github.com/fedora-selinux/selinux-policy/pull/1468 will fix this. Outcome of today's meeting with Michal Sekletar: An upstream systemd issue was created https://github.com/systemd/systemd/issues/25528 For the time being, selinux-policy will dontaudit the capability. It unfortunately means there will be errors in the journal logged. This is a captured traceback: ffffffffa860cf8d avc_audit_post_callback+0x1ed ([kernel.kallsyms]) ffffffffa860cf8d avc_audit_post_callback+0x1ed ([kernel.kallsyms]) ffffffffa8630ed5 common_lsm_audit+0x155 ([kernel.kallsyms]) ffffffffa860e06e slow_avc_audit+0x9e ([kernel.kallsyms]) ffffffffa8612796 cred_has_capability.isra.0+0x106 ([kernel.kallsyms]) ffffffffa860887d security_capable+0x3d ([kernel.kallsyms]) ffffffffa80fed7f capable+0x2f ([kernel.kallsyms]) ffffffffa869925e blkpg_do_ioctl+0x4e ([kernel.kallsyms]) ffffffffa8699ffb blkdev_ioctl+0x24b ([kernel.kallsyms]) ffffffffa83deccd __x64_sys_ioctl+0x8d ([kernel.kallsyms]) ffffffffa8ddf158 do_syscall_64+0x58 ([kernel.kallsyms]) ffffffffa8e0009b entry_SYSCALL_64_after_hwframe+0x63 ([kernel.kallsyms]) 1035cf __GI___ioctl+0x3f (/usr/lib64/libc.so.6) 8fee4 block_device_add_partition+0x114 (/usr/lib64/systemd/libsystemd-shared-25> d8c8a dissect_image.lto_priv.0+0xeaa (/usr/lib64/systemd/libsystemd-shared-252.> e1135 dissect_loop_device+0xa5 (/usr/lib64/systemd/libsystemd-shared-252.1-588.> 312c enumerate_partitions+0x8cc (inlined) 312c add_mounts+0x8cc (inlined) 312c run+0x8cc (inlined) 312c main+0x8cc (/usr/lib/systemd/system-generators/systemd-gpt-auto-generator) 27a8f __libc_start_call_main+0x7f (/usr/lib64/libc.so.6) 27b48 __libc_start_main_alias_2+0x88 (inlined) 3d24 _start+0x24 (/usr/lib/systemd/system-generators/systemd-gpt-auto-generato> (In reply to Quintin Hill from comment #5) > This broke auto creation of mount units for other file systems upon upgrade > to Fedora 37 for me. Hopefully > https://github.com/fedora-selinux/selinux-policy/pull/1468 will fix this. This bz is about a systemd-gpt-generator issue requesting the sys_admin capability. How is a problem of mount units creation related? Do you have any AVC denials? Well without this capability it is failing with a permission denied error:
Nov 25 21:47:47 quintin audit[2769]: AVC avc: denied { sys_admin } for pid=2769 comm="systemd-gpt-aut" capability=21 scontext=system_u:system_r:systemd_gpt_generator_t:s0 tcontext=system_u:system_r:systemd_gpt_generator_t:s0 tclass=c>
Nov 25 21:47:47 quintin systemd-gpt-auto-generator[2769]: Failed to dissect: Permission denied
Nov 25 21:47:47 quintin systemd[2757]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1.
Mount units aren't generated for me presumably because of the "Failed to dissect: Permission denied".
The failure is for gpt-auto-generator, I expect mount units created by fstab-generator, that's why I asked for avc denials. # ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today No systemd-gpt-auto-generator definitely creates mount units (as does systemd-fstab-generator). From the man page:
systemd-gpt-auto-generator is a unit generator that automatically
discovers root, /home/, /srv/, /var/, /var/tmp/, the EFI System
Partition, the Extended Boot Loader Partition and swap partitions and
creates mount and swap units for them, based on the partition type
GUIDs of GUID partition tables (GPT)
Anyway it looks like the real fix of this issue is a backport of https://github.com/systemd/systemd/pull/25580 to systemd 251 (the pull request is labelled for backport).
Also this is really the same bug as https://bugzilla.redhat.com/show_bug.cgi?id=2083900. FEDORA-2022-76a7b9bf91 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-76a7b9bf91 FEDORA-2022-76a7b9bf91 has been pushed to the Fedora 37 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-76a7b9bf91` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-76a7b9bf91 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. I didn't get selinux alert during dnf update (although there were no "big" packages updated lately), but I still get error in a dmesg during boot: [ 6.845073] systemd-gpt-auto-generator[798]: Failed to dissect: Permission denied [ 6.845286] systemd[784]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch FEDORA-2022-76a7b9bf91 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report. I'm not sure if the issue was supposed to be fixed. The SElinux alerts are gone, but the dmesg still has the original issue even with this morning systemd update: [ 5.856022] systemd[1]: bpf-lsm: Failed to load BPF object: No such process [ 5.882105] usb 5-4.5: new high-speed USB device number 7 using xhci_hcd [ 5.906216] systemd-gpt-auto-generator[789]: Failed to dissect: Permission denied [ 5.915611] zram: Added device: zram0 [ 5.915873] systemd[775]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch $ rpm -q systemd systemd-251.9-587.fc37.x86_64 I'm still getting this error in the logs : Dec 17 12:45:37 fedora systemd-gpt-auto-generator[1927]: Failed to dissect: Permission denied Dec 17 12:45:37 fedora systemd[1913]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. $ rpm -q selinux-policy selinux-policy-37.16-1.fc37.noarch Still present in: $ rpm -q selinux-policy selinux-policy-37.17-1.fc37.noarch Still present for me too
> rpm -q selinux-policy
selinux-policy-37.17-1.fc37.noarch
It's present in the logs for me too systemd-gpt-auto-generator[704]: Failed to dissect: Permission denied systemd[690]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. Still present in my system: rpm -q selinux-policy selinux-policy-37.18-1.fc37.noarch Jan 30 18:18:53 fedora systemd-gpt-auto-generator[665]: Failed to dissect: Permission denied Jan 30 18:18:53 fedora kernel: zram: Added device: zram0 Jan 30 18:18:53 fedora systemd[651]: /usr/lib/systemd/system-generators/systemd-gpt-auto-generator failed with exit status 1. *** This bug has been marked as a duplicate of bug 2083900 *** Is this actually a dupe of 2083900? The error message appears to be different, this issue is "Failed to dissect: Permission denied" and that one is "SELinux is preventing systemd-gpt-aut from using the 'sys_admin' capabilities" I see the former message on my system quite frequently, but no trace of the latter (at least not within the last month). I missed that it was closed, as I also disagree that it's a duplicate. SELinux issue was resolved, as there are no selinux errors, but the issue persists to this day with latest kernel 6.1.10, selinux-policy-37.19-1 and systemd-251.11-1 |