Bug 1381596 - SELinux is preventing worker from 'read' accesses on the blk_file /dev/dm-11.
Summary: SELinux is preventing worker from 'read' accesses on the blk_file /dev/dm-11.
Alias: None
Product: Fedora
Classification: Fedora
Component: systemd
Version: 24
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Whiteboard: abrt_hash:c51767bcc139188e5b1b213bea4...
Depends On:
TreeView+ depends on / blocked
Reported: 2016-10-04 14:01 UTC by Ting-Wei Lan
Modified: 2016-10-07 06:03 UTC (History)
22 users (show)

Fixed In Version: systemd-229-16.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-10-07 06:03:04 UTC
Type: ---

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1147910 None None None Never
Red Hat Bugzilla 1378974 None None None Never
Red Hat Bugzilla 1381468 None None None Never

Description Ting-Wei Lan 2016-10-04 14:01:36 UTC
Description of problem:
This problem happens after running 'dnf upgrade'. Virtual machines are no longer able to access their disks because the user, group, and SELinux context of disk files are reset to the default. This usually causes virtual machines to stop working or crash.
This problem is not always reproducible because most updates don't trigger it. Only a few updates can cause this problem.
SELinux is preventing worker from 'read' accesses on the blk_file /dev/dm-11.

*****  Plugin catchall (100. confidence) suggests   **************************

If 您認為 worker 就預設值應擁有 dm-11 blk_file 的 read 存取權。
Then 您應將此回報為錯誤。
allow this access for now by executing:
# ausearch -c 'worker' --raw | audit2allow -M my-worker
# semodule -X 300 -i my-worker.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c645,c843
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                /dev/dm-11 [ blk_file ]
Source                        worker
Source Path                   worker
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.7.4-200.fc24.x86_64 #1 SMP Thu
                              Sep 15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   3
First Seen                    2016-10-04 20:51:14 CST
Last Seen                     2016-10-04 20:51:14 CST
Local ID                      650fd888-20dc-4f2d-8d49-afa7aaf6cd10

Raw Audit Messages
type=AVC msg=audit(1475585474.117:3088): avc:  denied  { read } for  pid=13158 comm="worker" path="/dev/dm-11" dev="devtmpfs" ino=13533 scontext=system_u:system_r:svirt_t:s0:c645,c843 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

Hash: worker,svirt_t,fixed_disk_device_t,blk_file,read

Version-Release number of selected component:

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.7.4-200.fc24.x86_64
type:           libreport

Comment 1 Ting-Wei Lan 2016-10-05 10:09:33 UTC
I found the problem can be reproduced by running 'systemctl try-restart systemd-udev-trigger.service'. This command is included in systemd-udev scriptlets, so it can also happen when updating systemd.

Comment 2 Ting-Wei Lan 2016-10-05 20:02:43 UTC
Move it to systemd because it is a change in systemd.spec that causes the issue to become annoying and easily reproducible:


Comment 3 Daniel Walsh 2016-10-06 11:02:36 UTC
Looks like udev or something changed the label on this device.  Looks like another good reason not to do dnf upgrade on a running machine.

Comment 4 Ting-Wei Lan 2016-10-07 06:03:04 UTC
Thia problem has been fixed by removing 'systemctl try-restart systemd-udev-trigger.service' in systemd.spec.

Note You need to log in before you can comment on or make changes to this bug.