Description of problem: With SELinux in enforcing mode, the /usr/libexec/udisks2/udisksd daemon does not start. Once started anyway, there are numerous AVC messages related to it. Version-Release number of selected component (if applicable): storaged-2.6.2-2.fc25.x86_64 How reproducible: Always Steps to Reproduce: 1. udisksctl status Actual results: Error connecting to the udisks daemon: Error calling StartServiceByName for org.freedesktop.UDisks2: Timeout was reached Expected results: Normal operation. Additional info: "setenforce 0" makes things work as expected, but still produces AVC messages, of course. Running /usr/libexec/udisks2/udisksd directly as root works as expected. Here are some AVC messages. [ 356.416316] audit: type=1400 audit(1473675586.060:178): avc: denied { read } for pid=1391 comm="udisksd" name="sr0" dev="devtmpfs" ino=9036 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 [ 356.424278] audit: type=1300 audit(1473675586.060:178): arch=c000003e syscall=2 success=no exit=-13 a0=558a3a3bd160 a1=800 a2=7f36d4dd3b1b a3=0 items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null) [ 356.432977] audit: type=1327 audit(1473675586.060:178): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567 [ 356.441613] audit: type=1400 audit(1473675586.086:179): avc: denied { wake_alarm } for pid=1391 comm="udisksd" capability=35 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:system_r:udisks2_t:s0 tclass=capability2 permissive=0 [ 356.444651] audit: type=1300 audit(1473675586.086:179): arch=c000003e syscall=283 success=yes exit=12 a0=7 a1=80800 a2=558a3a3bf110 a3=2915930ae4d4a items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null) [ 356.448802] audit: type=1327 audit(1473675586.086:179): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567 [ 356.457253] audit: type=1400 audit(1473675586.102:180): avc: denied { read } for pid=1391 comm="udisksd" name="sr0" dev="devtmpfs" ino=9036 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0 [ 356.462252] audit: type=1300 audit(1473675586.102:180): arch=c000003e syscall=2 success=no exit=-13 a0=558a3a41ec60 a1=800 a2=7f36d4dd3b1b a3=0 items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null) [ 356.468803] audit: type=1327 audit(1473675586.102:180): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567 [ 356.479473] audit: type=1107 audit(1473675586.124:181): pid=795 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { acquire_svc } for service=org.freedesktop.UDisks2 spid=1391 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus [ 356.479473] exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
We have replaced udisks2 with storaged and I suspect the udisks2 policy needs to be ported/copied for storaged. However it can't be fixed in the storaged package.
The Cockpit integration tests are tracking this issue. Occurances will be listed here: https://github.com/cockpit-project/cockpit/issues/5041
*** Bug 1374334 has been marked as a duplicate of this bug. ***
> Duplicate of this bug: 1374334 Interesting. GNOME Disks seems to be able to talk to storaged, no? That doesn't match with the symptoms of this bug here, where storaged can't start at all.
Fix: https://github.com/fedora-selinux/selinux-policy/commit/f03db1257b911bc97dddb88b488a9b0df2b40848
(In reply to Marius Vollmer from comment #4) > > Duplicate of this bug: 1374334 > > Interesting. GNOME Disks seems to be able to talk to storaged, no? That > doesn't match with the symptoms of this bug here, where storaged can't start > at all. I didn't relalize it. However in both the cases it's the same SELinux policy. And it's more likely the standard GNOME installation doesn't include all the storaged modules, etc... Let's see whether Lukas would be able to fix it in one shot (fingers crossed).
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c
Lukas, I see this during update. Is that expected? Upgrading : selinux-policy-targeted-3.13.1-214.fc25.noarch 32/112 Re-declaration of type udisks2_t Failed to create node Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/udisks2/cil:1 /usr/sbin/semodule: Failed!
I saw the same error. But selinux seems to be fixed.
udisksd seems to start fine with selinux-policy-3.13.1-214.fc25
Discussed at 2016-09-19 blocker review meeting: [1]. This bug was accepted as Final blocker: This bug violates the final criterion: "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present. [1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-09-19/
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
This has improved, but it's not completely fixed yet. Starting udisks2 takes a long time, and actually causes udisksctl to timeout when it is autoactivating it: # systemctl stop udisks2.service # udisksctl status Error connecting to the udisks daemon: Error calling StartServiceByName for org.freedesktop.UDisks2: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.UDisks2': timed out # udisksctl status MODEL REVISION SERIAL DEVICE -------------------------------------------------------------------------- VirtIO Disk vda QEMU DVD-ROM 2.5+ QM00001 sr0 The following audit messages can be found: # grep denied /var/log/audit/audit.log type=AVC msg=audit(1474441751.195:245): avc: denied { write } for pid=2158 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1474441753.192:246): avc: denied { write } for pid=2159 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1474443029.558:316): avc: denied { write } for pid=2651 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0 type=USER_AVC msg=audit(1475752074.195:232): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.33 spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752099.307:234): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752099.307:235): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752220.931:236): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752220.933:237): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752221.104:240): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.35 spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752246.192:242): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752246.192:243): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752499.181:178): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.15 spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.075:192): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.075:193): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:194): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:195): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752513.079:196): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475752564.227:211): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.21 spid=678 tpid=1202 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' type=USER_AVC msg=audit(1475753927.558:220): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.24 spid=678 tpid=1278 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
(Does anyone take bets how many iteration we will need? :-)
Cockpit issue was fixed and will be in next rawhide build, other issues are fixed already.
*** Bug 1382532 has been marked as a duplicate of this bug. ***
> other issues are fixed already. Where?
Here https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b70b59f26
This is fixed with selinux-policy-3.13.1-218.fc25, at least with cockpit on Fedora Server.
selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-552be55062
(In reply to Lukas Vrabec from comment #19) > Here > https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b70b59f26 Thank you for the information!
selinux-policy-3.13.1-218.fc25 fixes the issues for us: https://fedorapeople.org/groups/cockpit/logs/pull-5153-6366ec64-verify-fedora-25/log.html (The remaining failure is something else.) Thanks!
selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e035472778
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.