Description of problem: SELinux is preventing udisksd from 'read' accesses on the blk_file sr0. ***** Plugin catchall (100. confidence) suggests ************************** If sie denken, dass es udisksd standardmässig erlaubt sein sollte, read Zugriff auf sr0 blk_file zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do allow this access for now by executing: # ausearch -c 'udisksd' --raw | audit2allow -M my-udisksd # semodule -X 300 -i my-udisksd.pp Additional Information: Source Context system_u:system_r:udisks2_t:s0 Target Context system_u:object_r:removable_device_t:s0 Target Objects sr0 [ blk_file ] Source udisksd Source Path udisksd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-211.fc25.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.8.0-0.rc2.git3.1.fc25.x86_64 #1 SMP Fri Aug 19 14:24:04 UTC 2016 x86_64 x86_64 Alert Count 4 First Seen 2016-08-26 07:11:05 CEST Last Seen 2016-08-26 07:11:32 CEST Local ID 564e628c-9d36-46a0-85ef-8e97240c7f6c Raw Audit Messages type=AVC msg=audit(1472188292.466:226): avc: denied { read } for pid=2145 comm="udisksd" name="sr0" dev="devtmpfs" ino=11301 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 Hash: udisksd,udisks2_t,removable_device_t,blk_file,read Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
Description of problem: Boot into f25 Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc2.git3.1.fc25.x86_64 type: libreport
udisks2_t domain is part of devicekit_t policy.
Description of problem: After upgrading to Fedora 25 Alpha from Fedora 24 I started seeing this SELinux denial on boot. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Description of problem: SE Linux message shows after login to my account. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Description of problem: Seems to occur on boot. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
(In reply to Lukas Vrabec from comment #2) > udisks2_t domain is part of devicekit_t policy. Sorry, I don't understand why this is closed as wontfix. Can you elaborate?
I'm reopening this. This AVC crashes gnome-disks on systems with an optical drive (I tested just in a VM). In enforcing mode, gnome-disks waits for the optical drive and then crashes with: (gnome-disks:2276): GNOME-Disks-ERROR **: Error getting udisks client: Error calling StartServiceByName for org.freedesktop.UDisks2: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.UDisks2': timed out Journal says: Sep 07 12:50:10 f25 python3[2882]: SELinux is preventing udisksd from read access on the blk_file sr0. Sep 07 12:50:10 f25 setroubleshoot[2882]: SELinux is preventing udisksd from open access on the blk_file /dev/sr0. For complete SELinux messages. run sealert -l 62def41a-1f06-4f65-8937-a341677911e1 Sep 07 12:50:10 f25 setroubleshoot[2882]: SELinux is preventing udisksd from ioctl access on the blk_file /dev/sr0. For complete SELinux messages. run sealert -l 3a929a30-9bc2-4abd-9e22-615ae86aef1c Proposing as a blocker: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test. " https://fedoraproject.org/wiki/Fedora_25_Final_Release_Criteria#Default_application_functionality If this is supposed to be fixed somewhere else than selinux-policy, please reassign this.
*** Bug 1373897 has been marked as a duplicate of this bug. ***
You can see the gnome-disks bug as bug 1373897.
Description of problem: Nothing special, just boot to GNOME session. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
Description of problem: I've found this right after loggin' in to a Xfce session (Fedora Workstation x86_64, as qemu-guest). Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc4.git0.1.fc25.x86_64 type: libreport
This is causing the failure to automount USB storage devices in Gnome desktop also. Nautilus doesn't show the storage devices like it did previously.
Description of problem: Login to Gnome on F25 workstation alpha. This notice appears. Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc5.git1.1.fc25.x86_64 type: libreport
Discussed during the 2016-09-12 blocker review meeting: [1] The decision to classify this bug as an AcceptedBlocker was made as this violates the following blocker criteria: "All applications that can be launched using the standard graphical mechanism of a release-blocking desktop after a default installation of that desktop must start successfully and withstand a basic functionality test", in regard to gnome-disks on a system with an optical drive. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2016-09-12/f25-blocker-review.2016-09-12-16.01.txt
Description of problem: SELinux denial straight after login Version-Release number of selected component: selinux-policy-3.13.1-211.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.8.0-0.rc5.git1.1.fc25.x86_64 type: libreport
Manually installed the updates to test, and I am not seeing this error any more. $ rpm -qa | grep selinux rpm-plugin-selinux-4.13.0-0.rc1.46.fc25.x86_64 libselinux-utils-2.5-11.fc25.x86_64 selinux-policy-targeted-3.13.1-212.fc25.noarch libselinux-python3-2.5-11.fc25.x86_64 libselinux-2.5-11.fc25.x86_64 selinux-policy-3.13.1-212.fc25.noarch
Fix: https://github.com/fedora-selinux/selinux-policy/commit/f03db1257b911bc97dddb88b488a9b0df2b40848
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
selinux-policy-3.13.1-214.fc25 seems to fix this issue.
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.