Bug 2323040
| Summary: | Dracut, et al unable to safely shut down mdraid volumes on install/upgrade due to SELinux denials | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rob Foehl <rwf> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 41 | CC: | dwalsh, lvrabec, mmalik, omosnacek, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Flags: | zpytela:
mirror+
|
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-41.41-1.fc41 | Doc Type: | --- |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2025-06-04 03:34:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
FEDORA-2025-cc4083b3f2 (selinux-policy-41.41-1.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-cc4083b3f2 FEDORA-2025-cc4083b3f2 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-cc4083b3f2` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-cc4083b3f2 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2025-cc4083b3f2 (selinux-policy-41.41-1.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report. |
Caught this on a serial console after a Fedora 40 -> 41 dnf system upgrade reboot finished the update and attempted to reboot again: [ 800.636172] dracut: Waiting for mdraid devices to be clean. [ 800.646094] kauditd_printk_skb: 15 callbacks suppressed [ 800.646103] audit: type=1400 audit(1730358324.784:337): avc: denied { nosuid_transition } for pid=22100 comm="shutdown" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=process2 permissive=0 [ 800.648808] dracut: Disassembling mdraid devices. [ 800.651371] audit: type=1401 audit(1730358324.784:337): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:mdadm_t:s0 [ 800.682578] dracut: Disassembling device-mapper devices [ 800.694704] audit: type=1300 audit(1730358324.784:337): arch=c000003e syscall=59 success=yes exit=0 a0=5579c4e6f690 a1=5579c4eda6c0 a2=5579c4edc400 a3=8 items=1 ppid=22099 pid=22100 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=4294967295 comm="mdadm" exe="/usr/sbin/mdadm" subj=system_u:system_r:init_t:s0 key=(null) [ 800.694709] audit: type=1309 audit(1730358324.784:337): argc=4 a0="mdadm" a1="-vv" a2="--wait-clean" a3="--scan" [ 800.694711] audit: type=1307 audit(1730358324.784:337): cwd="/" [ 800.694713] audit: type=1302 audit(1730358324.784:337): item=0 name="/lib64/ld-linux-x86-64.so.2" inode=4448 dev=00:19 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 [ 800.694716] audit: type=1327 audit(1730358324.784:337): proctitle=6D6461646D002D7676002D2D776169742D636C65616E002D2D7363616E [ 800.694719] audit: type=1400 audit(1730358324.810:338): avc: denied { nosuid_transition } for pid=22102 comm="shutdown" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:mdadm_t:s0 tclass=process2 permissive=0 [ 800.694722] audit: type=1401 audit(1730358324.810:338): op=security_bounded_transition seresult=denied oldcontext=system_u:system_r:init_t:s0 newcontext=system_u:system_r:mdadm_t:s0 [ 800.839683] audit: type=1300 audit(1730358324.810:338): arch=c000003e syscall=59 success=yes exit=0 a0=5579c4edc010 a1=5579c4eda6c0 a2=5579c4edc400 a3=8 items=1 ppid=22099 pid=22102 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=ttyS1 ses=4294967295 comm="mdadm" exe="/usr/sbin/mdadm" subj=system_u:system_r:init_t:s0 key=(null) [ 805.547217] dracut: Disassembling device-mapper devices [ 810.405642] dracut: Disassembling device-mapper devices [...many more for a few minutes before giving up and rebooting itself anyway...] Similar denials occur on normal reboots. These are hard to catch as they're happening after volumes are unmounted and right before a (typically screen-clearing) reboot, and as such aren't logged anywhere locally. Reproducible: Always Steps to Reproduce: Reboot or upgrade a Fedora 40+ system with mdraid volume(s), capture console output however possible. Actual Results: mdraid volumes aren't cleanly disassembled on shutdown/reboot, and eventually the attempts time out. Expected Results: Clean shutdown/reboot with mdraid volumes present, mdadm allowed to run as intended.