Bug 1370459 - SELinux is preventing udisksd from 'read' accesses on the blk_file sr0.
Summary: SELinux is preventing udisksd from 'read' accesses on the blk_file sr0.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:563876d54c13169c3ee75e91716...
: 1373897 (view as bug list)
Depends On:
Blocks: F25FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2016-08-26 11:31 UTC by Heiko Adams
Modified: 2016-09-21 00:36 UTC (History)
18 users (show)

Fixed In Version: selinux-policy-3.13.1-214.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-09-21 00:36:14 UTC


Attachments (Terms of Use)

Description Heiko Adams 2016-08-26 11:31:55 UTC
Description of problem:
SELinux is preventing udisksd from 'read' accesses on the blk_file sr0.

*****  Plugin catchall (100. confidence) suggests   **************************

If sie denken, dass es udisksd standardmässig erlaubt sein sollte, read Zugriff auf sr0 blk_file zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
allow this access for now by executing:
# ausearch -c 'udisksd' --raw | audit2allow -M my-udisksd
# semodule -X 300 -i my-udisksd.pp

Additional Information:
Source Context                system_u:system_r:udisks2_t:s0
Target Context                system_u:object_r:removable_device_t:s0
Target Objects                sr0 [ blk_file ]
Source                        udisksd
Source Path                   udisksd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-211.fc25.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.8.0-0.rc2.git3.1.fc25.x86_64 #1
                              SMP Fri Aug 19 14:24:04 UTC 2016 x86_64 x86_64
Alert Count                   4
First Seen                    2016-08-26 07:11:05 CEST
Last Seen                     2016-08-26 07:11:32 CEST
Local ID                      564e628c-9d36-46a0-85ef-8e97240c7f6c

Raw Audit Messages
type=AVC msg=audit(1472188292.466:226): avc:  denied  { read } for  pid=2145 comm="udisksd" name="sr0" dev="devtmpfs" ino=11301 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0


Hash: udisksd,udisks2_t,removable_device_t,blk_file,read

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 1 José Matos 2016-08-30 18:45:57 UTC
Description of problem:
Boot into f25

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc2.git3.1.fc25.x86_64
type:           libreport

Comment 2 Lukas Vrabec 2016-09-02 15:44:03 UTC
udisks2_t domain is part of devicekit_t policy.

Comment 3 Jeremy Cline 2016-09-04 16:15:00 UTC
Description of problem:
After upgrading to Fedora 25 Alpha from Fedora 24 I started seeing this SELinux denial on boot.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 4 Robert 2016-09-05 06:35:43 UTC
Description of problem:
SE Linux message shows after login to my account.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 5 Kamil Páral 2016-09-06 12:35:11 UTC
Description of problem:
Seems to occur on boot.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 6 Kamil Páral 2016-09-06 12:36:29 UTC
(In reply to Lukas Vrabec from comment #2)
> udisks2_t domain is part of devicekit_t policy.

Sorry, I don't understand why this is closed as wontfix. Can you elaborate?

Comment 7 Kamil Páral 2016-09-07 10:58:54 UTC
I'm reopening this. This AVC crashes gnome-disks on systems with an optical drive (I tested just in a VM). In enforcing mode, gnome-disks waits for the optical drive and then crashes with:

(gnome-disks:2276): GNOME-Disks-ERROR **: Error getting udisks client: Error calling StartServiceByName for org.freedesktop.UDisks2: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.UDisks2': timed out

Journal says:
Sep 07 12:50:10 f25 python3[2882]: SELinux is preventing udisksd from read access on the blk_file sr0.
Sep 07 12:50:10 f25 setroubleshoot[2882]: SELinux is preventing udisksd from open access on the blk_file /dev/sr0. For complete SELinux messages. run sealert -l 62def41a-1f06-4f65-8937-a341677911e1
Sep 07 12:50:10 f25 setroubleshoot[2882]: SELinux is preventing udisksd from ioctl access on the blk_file /dev/sr0. For complete SELinux messages. run sealert -l 3a929a30-9bc2-4abd-9e22-615ae86aef1c

Proposing as a blocker:
"All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test. "
https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#Default_application_functionality

If this is supposed to be fixed somewhere else than selinux-policy, please reassign this.

Comment 8 Kamil Páral 2016-09-07 11:56:42 UTC
*** Bug 1373897 has been marked as a duplicate of this bug. ***

Comment 9 Kamil Páral 2016-09-07 11:57:19 UTC
You can see the gnome-disks bug as bug 1373897.

Comment 10 kartochka22 2016-09-08 14:02:38 UTC
Description of problem:
Nothing special, just boot to GNOME session.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 11 Giulio 'juliuxpigface' 2016-09-09 07:53:36 UTC
Description of problem:
I've found this right after loggin' in to a Xfce session (Fedora Workstation x86_64, as qemu-guest).

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc4.git0.1.fc25.x86_64
type:           libreport

Comment 12 Dagan McGregor 2016-09-10 06:02:30 UTC
This is causing the failure to automount USB storage devices in Gnome desktop also.

Nautilus doesn't show the storage devices like it did previously.

Comment 13 Dagan McGregor 2016-09-10 06:05:03 UTC
Description of problem:
Login to Gnome on F25 workstation alpha. This notice appears.

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc5.git1.1.fc25.x86_64
type:           libreport

Comment 14 Geoffrey Marr 2016-09-13 02:38:30 UTC
Discussed during the 2016-09-12 blocker review meeting: [1]

The decision to classify this bug as an AcceptedBlocker was made as this violates the following blocker criteria:

"All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test", in regard to gnome-disks on a system with an optical drive.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-09-12/f25-blocker-review.2016-09-12-16.01.txt

Comment 15 Seppo Yli-Olli 2016-09-13 20:05:51 UTC
Description of problem:
SELinux denial straight after login

Version-Release number of selected component:
selinux-policy-3.13.1-211.fc25.noarch

Additional info:
reporter:       libreport-2.8.0
hashmarkername: setroubleshoot
kernel:         4.8.0-0.rc5.git1.1.fc25.x86_64
type:           libreport

Comment 16 Dagan McGregor 2016-09-14 00:14:42 UTC
Manually installed the updates to test, and I am not seeing this error any more.

$ rpm -qa | grep selinux
rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64
libselinux-utils-2.5-11.fc25.x86_64
selinux-policy-targeted-3.13.1-212.fc25.noarch
libselinux-python3-2.5-11.fc25.x86_64
libselinux-2.5-11.fc25.x86_64
selinux-policy-3.13.1-212.fc25.noarch

Comment 18 Fedora Update System 2016-09-15 17:22:22 UTC
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 19 Fedora Update System 2016-09-16 01:23:16 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 20 Kamil Páral 2016-09-19 14:50:03 UTC
selinux-policy-3.13.1-214.fc25 seems to fix this issue.

Comment 21 Fedora Update System 2016-09-21 00:36:14 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.