Bug 1375156 - SELinux cripples storaged
Summary: SELinux cripples storaged
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 25
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: AcceptedBlocker
: 1374334 1382532 (view as bug list)
Depends On:
Blocks: F25FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2016-09-12 10:25 UTC by Marius Vollmer
Modified: 2016-10-22 07:54 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-219.fc25 selinux-policy-3.13.1-191.19.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-10-22 07:54:37 UTC


Attachments (Terms of Use)

Description Marius Vollmer 2016-09-12 10:25:10 UTC
Description of problem:

With SELinux in enforcing mode, the /usr/libexec/udisks2/udisksd daemon does not start.  Once started anyway, there are numerous AVC messages related to it.

Version-Release number of selected component (if applicable):
storaged-2.6.2-2.fc25.x86_64

How reproducible:
Always

Steps to Reproduce:
1. udisksctl status

Actual results:
Error connecting to the udisks daemon: Error calling StartServiceByName for org.freedesktop.UDisks2: Timeout was reached

Expected results:
Normal operation.

Additional info:
"setenforce 0" makes things work as expected, but still produces AVC messages, of course.

Running /usr/libexec/udisks2/udisksd directly as root works as expected.

Here are some AVC messages.

[  356.416316] audit: type=1400 audit(1473675586.060:178): avc:  denied  { read } for  pid=1391 comm="udisksd" name="sr0" dev="devtmpfs" ino=9036 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0
[  356.424278] audit: type=1300 audit(1473675586.060:178): arch=c000003e syscall=2 success=no exit=-13 a0=558a3a3bd160 a1=800 a2=7f36d4dd3b1b a3=0 items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null)
[  356.432977] audit: type=1327 audit(1473675586.060:178): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567
[  356.441613] audit: type=1400 audit(1473675586.086:179): avc:  denied  { wake_alarm } for  pid=1391 comm="udisksd" capability=35  scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:system_r:udisks2_t:s0 tclass=capability2 permissive=0
[  356.444651] audit: type=1300 audit(1473675586.086:179): arch=c000003e syscall=283 success=yes exit=12 a0=7 a1=80800 a2=558a3a3bf110 a3=2915930ae4d4a items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null)
[  356.448802] audit: type=1327 audit(1473675586.086:179): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567
[  356.457253] audit: type=1400 audit(1473675586.102:180): avc:  denied  { read } for  pid=1391 comm="udisksd" name="sr0" dev="devtmpfs" ino=9036 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file permissive=0
[  356.462252] audit: type=1300 audit(1473675586.102:180): arch=c000003e syscall=2 success=no exit=-13 a0=558a3a41ec60 a1=800 a2=7f36d4dd3b1b a3=0 items=0 ppid=1 pid=1391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="udisksd" exe="/usr/libexec/udisks2/udisksd" subj=system_u:system_r:udisks2_t:s0 key=(null)
[  356.468803] audit: type=1327 audit(1473675586.102:180): proctitle=2F7573722F6C6962657865632F756469736B73322F756469736B7364002D2D6E6F2D6465627567
[  356.479473] audit: type=1107 audit(1473675586.124:181): pid=795 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { acquire_svc } for service=org.freedesktop.UDisks2 spid=1391 scontext=system_u:system_r:udisks2_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus
[  356.479473]  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 1 Tomas Smetana 2016-09-12 11:00:14 UTC
We have replaced udisks2 with storaged and I suspect the udisks2 policy needs to be ported/copied for storaged. However it can't be fixed in the storaged package.

Comment 2 Stef Walter 2016-09-13 09:26:01 UTC
The Cockpit integration tests are tracking this issue. Occurances will be listed here: https://github.com/cockpit-project/cockpit/issues/5041

Comment 3 Tomas Smetana 2016-09-14 14:04:39 UTC
*** Bug 1374334 has been marked as a duplicate of this bug. ***

Comment 4 Marius Vollmer 2016-09-15 06:35:38 UTC
> Duplicate of this bug: 1374334

Interesting.  GNOME Disks seems to be able to talk to storaged, no?  That doesn't match with the symptoms of this bug here, where storaged can't start at all.

Comment 6 Tomas Smetana 2016-09-15 12:12:36 UTC
(In reply to Marius Vollmer from comment #4)
> > Duplicate of this bug: 1374334
> 
> Interesting.  GNOME Disks seems to be able to talk to storaged, no?  That
> doesn't match with the symptoms of this bug here, where storaged can't start
> at all.

I didn't relalize it. However in both the cases it's the same SELinux policy. And it's more likely the standard GNOME installation doesn't include all the storaged modules, etc... Let's see whether Lukas would be able to fix it in one shot (fingers crossed).

Comment 7 Fedora Update System 2016-09-15 17:21:25 UTC
selinux-policy-3.13.1-214.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 8 Fedora Update System 2016-09-16 01:22:47 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f88bebc7c

Comment 9 Kamil Páral 2016-09-16 06:56:27 UTC
Lukas, I see this during update. Is that expected?

  Upgrading   : selinux-policy-targeted-3.13.1-214.fc25.noarch         32/112 
Re-declaration of type udisks2_t
Failed to create node
Bad type declaration at /var/lib/selinux/targeted/tmp/modules/100/udisks2/cil:1
/usr/sbin/semodule:  Failed!

Comment 10 pavel raur 2016-09-16 08:54:34 UTC
I saw the same error. But selinux seems to be fixed.

Comment 11 Kamil Páral 2016-09-19 15:04:55 UTC
udisksd seems to start fine with selinux-policy-3.13.1-214.fc25

Comment 12 Petr Schindler 2016-09-19 18:25:37 UTC
Discussed at 2016-09-19 blocker review meeting: [1]. 

This bug was accepted as Final blocker: This bug violates the final criterion: "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present.

[1] https://meetbot-raw.fedoraproject.org/fedora-blocker-review/2016-09-19/

Comment 13 Fedora Update System 2016-09-21 00:35:33 UTC
selinux-policy-3.13.1-214.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Marius Vollmer 2016-10-06 11:42:18 UTC
This has improved, but it's not completely fixed yet.

Starting udisks2 takes a long time, and actually causes udisksctl to timeout when it is autoactivating it:

# systemctl stop udisks2.service
# udisksctl status
Error connecting to the udisks daemon: Error calling StartServiceByName for org.freedesktop.UDisks2: GDBus.Error:org.freedesktop.DBus.Error.TimedOut: Failed to activate service 'org.freedesktop.UDisks2': timed out
# udisksctl status
MODEL                     REVISION  SERIAL               DEVICE
--------------------------------------------------------------------------
VirtIO Disk                                              vda     
QEMU DVD-ROM              2.5+      QM00001              sr0     

The following audit messages can be found:

# grep denied /var/log/audit/audit.log 
type=AVC msg=audit(1474441751.195:245): avc:  denied  { write } for  pid=2158 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1474441753.192:246): avc:  denied  { write } for  pid=2159 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1474443029.558:316): avc:  denied  { write } for  pid=2651 comm="cockpit-ws" name="cockpit" dev="dm-0" ino=13660882 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:cockpit_var_lib_t:s0 tclass=dir permissive=0
type=USER_AVC msg=audit(1475752074.195:232): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.33 spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752099.307:234): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752099.307:235): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752220.931:236): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752220.933:237): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1576 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752221.104:240): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.35 spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752246.192:242): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752246.192:243): pid=696 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=700 tpid=1895 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752499.181:178): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.15 spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752513.075:192): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752513.075:193): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752513.079:194): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752513.079:195): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752513.079:196): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=signal interface=org.freedesktop.PolicyKit1.Authority member=Changed dest=org.freedesktop.DBus spid=678 tpid=1085 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475752564.227:211): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.21 spid=678 tpid=1202 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1475753927.558:220): pid=686 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_return dest=:1.24 spid=678 tpid=1278 scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:devicekit_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 15 Marius Vollmer 2016-10-06 11:43:20 UTC
(Does anyone take bets how many iteration we will need? :-)

Comment 16 Lukas Vrabec 2016-10-07 09:29:26 UTC
Cockpit issue was fixed and will be in next rawhide build, other issues are fixed already.

Comment 17 Marius Vollmer 2016-10-10 07:50:38 UTC
*** Bug 1382532 has been marked as a duplicate of this bug. ***

Comment 18 Marius Vollmer 2016-10-11 07:43:27 UTC
> other issues are fixed already.

Where?

Comment 20 Chris Murphy 2016-10-11 18:05:09 UTC
This is fixed with selinux-policy-3.13.1-218.fc25, at least with cockpit on Fedora Server.

Comment 21 Fedora Update System 2016-10-12 01:53:52 UTC
selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-552be55062

Comment 22 Marius Vollmer 2016-10-12 06:18:35 UTC
(In reply to Lukas Vrabec from comment #19)
> Here
> https://bodhi.fedoraproject.org/updates/FEDORA-2016-3b70b59f26

Thank you for the information!

Comment 23 Marius Vollmer 2016-10-13 07:55:53 UTC
selinux-policy-3.13.1-218.fc25 fixes the issues for us:

https://fedorapeople.org/groups/cockpit/logs/pull-5153-6366ec64-verify-fedora-25/log.html

(The remaining failure is something else.)

Thanks!

Comment 24 Fedora Update System 2016-10-14 19:34:35 UTC
selinux-policy-3.13.1-219.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 25 Fedora Update System 2016-10-20 21:58:56 UTC
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-e035472778

Comment 26 Fedora Update System 2016-10-22 07:54:37 UTC
selinux-policy-3.13.1-191.19.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.