Description of problem: During boot/login process SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1. ***** Plugin catchall (100. confidence) suggests ************************** Se você acredita nisso stratisd deve ser permitido getattr acesso no sdb1 blk_file por padrão. Then você deve informar que este é um erro. Você pode gerar um módulo de política local para permitir este acesso. Do permitir este acesso por agora executando: # ausearch -c 'stratisd'--raw | audit2allow -M my-stratisd # semodule -X 300 -i my-stratisd.pp Additional Information: Source Context system_u:system_r:stratisd_t:s0 Target Context system_u:object_r:fixed_disk_device_t:s0 Target Objects /dev/sdb1 [ blk_file ] Source stratisd Source Path /usr/libexec/stratisd Port <Desconhecido> Host (removed) Source RPM Packages stratisd-1.0.5-1.module_f31+6320+bf3c8975.x86_64 Target RPM Packages Policy RPM selinux-policy-3.14.4-31.fc31.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.3.0-1.fc31.x86_64 #1 SMP Mon Sep 16 12:34:42 UTC 2019 x86_64 x86_64 Alert Count 6 First Seen 2019-09-18 13:56:47 -03 Last Seen 2019-09-18 15:09:42 -03 Local ID e26b45fe-405d-4b45-b731-7824dc5eaf90 Raw Audit Messages type=AVC msg=audit(1568830182.214:13471): avc: denied { getattr } for pid=536 comm="stratisd" path="/dev/sdb1" dev="devtmpfs" ino=730261 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 type=SYSCALL msg=audit(1568830182.214:13471): arch=x86_64 syscall=lstat success=no exit=EACCES a0=55760c81d9f0 a1=7fff4988b880 a2=7fff4988b880 a3=0 items=1 ppid=1 pid=536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=stratisd exe=/usr/libexec/stratisd subj=system_u:system_r:stratisd_t:s0 key=(null) type=CWD msg=audit(1568830182.214:13471): cwd=/ type=PATH msg=audit(1568830182.214:13471): item=0 name=/dev/sdb1 inode=730261 dev=00:06 mode=060660 ouid=0 ogid=6 rdev=08:11 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0 Hash: stratisd,stratisd_t,fixed_disk_device_t,blk_file,getattr Version-Release number of selected component: selinux-policy-3.14.4-31.fc31.noarch Additional info: component: selinux-policy reporter: libreport-2.10.1 hashmarkername: setroubleshoot kernel: 5.3.0-1.fc31.x86_64 type: libreport
commit 92748761feb61250510219298f50cd5d5c1d413d (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Nikola Knazekova <nknazeko> Date: Wed Oct 2 11:12:33 2019 +0200 Allow stratisd to getattr of fixed disk device nodes Allow stratisd, a daemon that manages a pool of block devices to create flexible filesystems, to get the attributes of fixed disk device nodes. Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1755396
FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5
selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5
*** Bug 1767773 has been marked as a duplicate of this bug. ***
Well I report the 'duplicate' #1767773. On my system the problem is still there with selinux-policy-3.14.4-39.fc31.noarch . Proposed testing package is selinux-policy-3.14.4-36.fc31 and marked as obsolete. Hence, I state the problem is NOT fixed and would like to REOPEN this bug...
Hi aannoaanno, Issue is fixed in: # rpm -q selinux-policy selinux-policy-3.14.4-40.fc31.noarch # sesearch -A -s stratisd_t -t fixed_disk_device_t -c blk_file allow stratisd_t fixed_disk_device_t:blk_file getattr; You can install it via: # sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-aec8f7ab50 and add karma here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 Thanks, Lukas
Dear Lukas, * https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention this bug * https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention the duplicate bug * nethertheless, I tried, but it does *NOT* fix this issue Hence, I state the problem is NOT fixed and would like to REOPEN this bug...
I found the following in dmesg with selinux-policy-3.14.4-40.fc31.noarch: [ 13.964073] audit: type=1400 audit(1573198423.176:78): avc: denied { read } for pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 13.983380] audit: type=1400 audit(1573198423.196:79): avc: denied { read } for pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 13.985013] audit: type=1400 audit(1573198423.196:80): avc: denied { getattr } for pid=842 comm="stratisd" path="/dev/nvme0n1p7" dev="devtmpfs" ino=23716 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0 [ 13.991528] audit: type=1130 audit(1573198423.204:81): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 13.992231] audit: type=1400 audit(1573198423.204:82): avc: denied { read } for pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0 [ 14.057108] audit: type=1130 audit(1573198423.269:83): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 14.060405] audit: type=1400 audit(1573198423.271:84): avc: denied { read } for pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Just as a reminder: drckeefe has managed to reproduce the problem: https://github.com/stratis-storage/stratisd/issues/1684
Hi, Thank you for the SELinux denials, however there are different than SELinux denial from bug description. I added all the fixes. commit 42440b950d4cc6b6b8d547d3c3d11533e5e761fa (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Lukas Vrabec <lvrabec> Date: Fri Nov 8 16:55:22 2019 +0100 Allow stratisd_t domain to read nvme and fixed disk devices Resolves: rhbz#1770134 Thanks, Lukas
I had the same problem, updated to selinux-policy-nightly Now stratisd will start, but will not be able to create a pool. Other permission issues seems to persist. See : https://github.com/stratis-storage/stratisd/issues/1684#issuecomment-554164413 Thanks
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
Well, the system suffered from a power unit hardware problem. Sorry for the delayed answer. Package selinux-policy-3.14.4-42.fc31 works better - but the problem is _not_ gone with it. I now find the following in dmesg: [ 23.565628] audit: type=1130 audit(1574968794.744:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd- cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.574364] device-mapper: table: 253:11: cache: unknown target type [ 23.574396] audit: type=1400 audit(1574968794.753:65): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.575494] device-mapper: ioctl: error adding target to table [ 23.632232] device-mapper: table: 253:11: cache: unknown target type [ 23.632265] audit: type=1400 audit(1574968794.811:66): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.633468] device-mapper: ioctl: error adding target to table [ 23.637369] audit: type=1130 audit(1574968794.816:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' [ 23.676220] device-mapper: table: 253:11: cache: unknown target type [ 23.676252] audit: type=1400 audit(1574968794.855:68): avc: denied { module_request } for pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 [ 23.677704] device-mapper: ioctl: error adding target to table
With the selinux warning browser, I see the following problems with selinux-policy-3.14.4-42.fc31: * SELinux is preventing mount from 'read' accesses on the blk_file loop1. Raw Audit Messages type=AVC msg=audit(1557599764.3:347): avc: denied { read } for pid=5364 comm="mount" name="loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from 'open' accesses on the blk_file /dev/loop1. Raw Audit Messages type=AVC msg=audit(1557599764.3:348): avc: denied { open } for pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from 'ioctl' accesses on the blk_file /dev/loop1. type=AVC msg=audit(1557599764.3:349): avc: denied { ioctl } for pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 ioctlcmd=0x4c05 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing mount from read, write access on the chr_file loop-control. type=AVC msg=audit(1557599764.3:350): avc: denied { read write } for pid=5364 comm="mount" name="loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'open' accesses on the chr_file /dev/loop-control. type=AVC msg=audit(1557599764.3:351): avc: denied { open } for pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'ioctl' accesses on the chr_file /dev/loop-control. type=AVC msg=audit(1557599764.3:352): avc: denied { ioctl } for pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1 * SELinux is preventing mount from 'write' accesses on the blk_file loop2. type=AVC msg=audit(1557599764.4:353): avc: denied { write } for pid=5364 comm="mount" name="loop2" dev="devtmpfs" ino=67850 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1 * SELinux is preventing systemd from 'create' accesses on the Verzeichnis recordings. type=AVC msg=audit(1567538795.411:845): avc: denied { create } for pid=1 comm="systemd" name="recordings" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0 * SELinux is preventing cp from using the 'setfscreate' accesses on a process. type=AVC msg=audit(1569263071.507:365): avc: denied { setfscreate } for pid=8657 comm="cp" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=process permissive=1 * Process stratisd tried to access system with module_request. * SELinux is preventing stratisd from 'execute' accesses on the Datei /usr/sbin/pdata_tools. type=AVC msg=audit(1572608333.230:776): avc: denied { execute } for pid=16969 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 * SELinux is preventing stratisd from 'execute_no_trans' accesses on the Datei /usr/sbin/pdata_tools. type=AVC msg=audit(1572608333.230:777): avc: denied { execute_no_trans } for pid=16969 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 * Process thin_check tried to access /usr/sbin/pdata_tools with map. * Process stratisd tried to write to directory /stratis * Process stratisd tried to access directory .mdv-093c... with add_name. * Process stratisd tried to access directory .mdv-093c... with create. type=AVC msg=audit(1572695079.107:482): avc: denied { create } for pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory .mdv-093c... with mounton. * Process stratisd tried to access filesystem /. type=AVC msg=audit(1572695079.135:484): avc: denied { mount } for pid=6651 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access directory 'filesystems' with read. type=AVC msg=audit(1572695079.136:486): avc: denied { read } for pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory 'filesystems' with open. * Process stratisd tried to access directory 'filesystems' with getattr. * Process stratisd tried to access filesystem with unmount. type=AVC msg=audit(1572695079.136:489): avc: denied { unmount } for pid=6651 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access directory .mdv-093c... with remove_name. * Process stratisd tried to access directory .mdv-093c... with rmdir. type=AVC msg=audit(1572695079.220:491): avc: denied { rmdir } for pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=134343861 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 * Process stratisd tried to access directory 'filesystems' with search. type=AVC msg=audit(1572695079.247:492): avc: denied { search } for pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 * Process stratisd tried to access file 1715509...4d.json with read. type=AVC msg=audit(1572695079.247:493): avc: denied { read } for pid=6651 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 * Process stratisd tried to access file 1715509...4d.json with open. * Process stratisd tried to access /mnt/opt with getattr. type=AVC msg=audit(1572695079.338:495): avc: denied { getattr } for pid=6651 comm="stratisd" name="/" dev="dm-17" ino=2048 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 * Process stratisd tried to access lnk_file /stratis/stratis_hdd/opt with unlink. type=AVC msg=audit(1572695079.339:496): avc: denied { unlink } for pid=6651 comm="stratisd" name="opt" dev="dm-4" ino=146941056 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 * Process stratisd tried to access lnk_file /opt with create. type=AVC msg=audit(1572695079.339:497): avc: denied { create } for pid=6651 comm="stratisd" name="opt" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 * Process systemd tried to access capability2 with mac_admin. type=AVC msg=audit(1575127332.448:120): avc: denied { mac_admin } for pid=1 comm="systemd" capability=33 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1 * Process mandb tried to access directory /var/lib/snapd with search. type=AVC msg=audit(1575127443.105:355): avc: denied { search } for pid=5298 comm="mandb" name="snapd" dev="dm-4" ino=134536464 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:snappy_var_lib_t:s0"
Well, I'm reporter of the 'duplicate' bug https://bugzilla.redhat.com/show_bug.cgi?id=1767773 that I opened on 2019-11-01 11:51:45 UTC. My problem is _still_ _not_ _solved_ in Fedora 31, but I can't see any progress here. Hence this is my question: Is there still the intend to solve this problem in Fedora 31? Can I provide additional information on the subject?
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e
selinux-policy-3.14.4-43.fc31 does not resolve this issue
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
The problem is still there with selinux-policy-3.14.4-43.fc31, and would like to reopen the bug as I found as I still see the following in /var/log/messages: Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { module_request } for pid=836 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r: stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: cache: Origin device (dm-8) discard unsupported: Disabling discard passdown. Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40 96, logical_block_size=512, alignment_offset=0, start=0 Dec 19 18:10:27 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg. Dec 19 18:10:27 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cry ptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { execute } for pid=1419 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scon text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { execute_no_trans } for pid=1419 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc: denied { map } for pid=1419 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329 307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { write } for pid=836 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u :system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { add_name } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scon text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { create } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" sconte xt=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { mounton } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa 58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { mount } for pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { search } for pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { read } for pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { open } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { getattr } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { unmount } for pid=836 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { remove_name } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { rmdir } for pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { search } for pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { read } for pid=836 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { open } for pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Dec 19 18:10:27 blacksnapper stratisd[836]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 13 Dec 19 18:10:27 blacksnapper audit[836]: AVC avc: denied { create } for pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Dec 19 18:10:27 blacksnapper kernel: kauditd_printk_skb: 67 callbacks suppressed Dec 19 18:10:27 blacksnapper kernel: audit: type=1400 audit(1576775427.680:76): avc: denied { create } for pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Dec 19 18:10:27 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d. I also voted against the 'fix' at https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e .