Bug 1755396 - SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1.
Summary: SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the bl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:2c6260d596ff231237ecd68c7f1...
: 1767773 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-09-25 12:18 UTC by msmafra
Modified: 2019-12-19 17:21 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.4-40.fc31.noarch selinux-policy-3.14.4-43.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-11 02:05:59 UTC
Type: ---


Attachments (Terms of Use)

Description msmafra 2019-09-25 12:18:36 UTC
Description of problem:
During boot/login process
SELinux is preventing /usr/libexec/stratisd from 'getattr' accesses on the blk_file /dev/sdb1.

*****  Plugin catchall (100. confidence) suggests   **************************

Se você acredita nisso stratisd deve ser permitido getattr acesso no sdb1 blk_file por padrão.
Then você deve informar que este é um erro.
Você pode gerar um módulo de política local para permitir este acesso.
Do
permitir este acesso por agora executando: # ausearch -c 'stratisd'--raw | audit2allow -M my-stratisd # semodule -X 300 -i my-stratisd.pp

Additional Information:
Source Context                system_u:system_r:stratisd_t:s0
Target Context                system_u:object_r:fixed_disk_device_t:s0
Target Objects                /dev/sdb1 [ blk_file ]
Source                        stratisd
Source Path                   /usr/libexec/stratisd
Port                          <Desconhecido>
Host                          (removed)
Source RPM Packages           stratisd-1.0.5-1.module_f31+6320+bf3c8975.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.14.4-31.fc31.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.3.0-1.fc31.x86_64 #1 SMP Mon Sep
                              16 12:34:42 UTC 2019 x86_64 x86_64
Alert Count                   6
First Seen                    2019-09-18 13:56:47 -03
Last Seen                     2019-09-18 15:09:42 -03
Local ID                      e26b45fe-405d-4b45-b731-7824dc5eaf90

Raw Audit Messages
type=AVC msg=audit(1568830182.214:13471): avc:  denied  { getattr } for  pid=536 comm="stratisd" path="/dev/sdb1" dev="devtmpfs" ino=730261 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0


type=SYSCALL msg=audit(1568830182.214:13471): arch=x86_64 syscall=lstat success=no exit=EACCES a0=55760c81d9f0 a1=7fff4988b880 a2=7fff4988b880 a3=0 items=1 ppid=1 pid=536 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=stratisd exe=/usr/libexec/stratisd subj=system_u:system_r:stratisd_t:s0 key=(null)

type=CWD msg=audit(1568830182.214:13471): cwd=/

type=PATH msg=audit(1568830182.214:13471): item=0 name=/dev/sdb1 inode=730261 dev=00:06 mode=060660 ouid=0 ogid=6 rdev=08:11 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0

Hash: stratisd,stratisd_t,fixed_disk_device_t,blk_file,getattr

Version-Release number of selected component:
selinux-policy-3.14.4-31.fc31.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.10.1
hashmarkername: setroubleshoot
kernel:         5.3.0-1.fc31.x86_64
type:           libreport

Comment 1 Lukas Vrabec 2019-10-02 19:09:26 UTC
commit 92748761feb61250510219298f50cd5d5c1d413d (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Nikola Knazekova <nknazeko>
Date:   Wed Oct 2 11:12:33 2019 +0200

    Allow stratisd to getattr of fixed disk device nodes
    
    Allow stratisd, a daemon that manages a pool of block devices to create flexible filesystems, to get the attributes of fixed disk device nodes.
    
    Fixed Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1755396

Comment 2 Fedora Update System 2019-10-04 13:35:30 UTC
FEDORA-2019-64732fd6a5 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 3 Fedora Update System 2019-10-04 22:51:11 UTC
selinux-policy-3.14.4-36.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-64732fd6a5

Comment 4 Lukas Vrabec 2019-11-06 19:56:01 UTC
*** Bug 1767773 has been marked as a duplicate of this bug. ***

Comment 5 aannoaanno 2019-11-07 17:13:36 UTC
Well I report the 'duplicate' #1767773. On my system the problem is still there with selinux-policy-3.14.4-39.fc31.noarch . Proposed testing package is selinux-policy-3.14.4-36.fc31 and marked as obsolete. 

Hence, I state the problem is NOT fixed and would like to REOPEN this bug...

Comment 6 Lukas Vrabec 2019-11-07 20:47:08 UTC
Hi aannoaanno, 

Issue is fixed in:
# rpm -q selinux-policy
selinux-policy-3.14.4-40.fc31.noarch

# sesearch -A -s  stratisd_t -t fixed_disk_device_t -c blk_file 
allow stratisd_t fixed_disk_device_t:blk_file getattr;

You can install it via:
# sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2019-aec8f7ab50

and add karma here:
https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50

Thanks,
Lukas

Comment 7 aannoaanno 2019-11-08 07:41:49 UTC
Dear Lukas,

* https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention this bug
* https://bodhi.fedoraproject.org/updates/FEDORA-2019-aec8f7ab50 does *NOT* mention the duplicate bug
* nethertheless, I tried, but it does *NOT* fix this issue

Hence, I state the problem is NOT fixed and would like to REOPEN this bug...

Comment 8 aannoaanno 2019-11-08 07:49:06 UTC
I found the following in dmesg with selinux-policy-3.14.4-40.fc31.noarch:

[   13.964073] audit: type=1400 audit(1573198423.176:78): avc:  denied  { read } for  pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
[   13.983380] audit: type=1400 audit(1573198423.196:79): avc:  denied  { read } for  pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
[   13.985013] audit: type=1400 audit(1573198423.196:80): avc:  denied  { getattr } for  pid=842 comm="stratisd" path="/dev/nvme0n1p7" dev="devtmpfs" ino=23716 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:nvme_device_t:s0 tclass=blk_file permissive=0
[   13.991528] audit: type=1130 audit(1573198423.204:81): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   13.992231] audit: type=1400 audit(1573198423.204:82): avc:  denied  { read } for  pid=842 comm="stratisd" name="dm-7" dev="devtmpfs" ino=23987 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
[   14.057108] audit: type=1130 audit(1573198423.269:83): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   14.060405] audit: type=1400 audit(1573198423.271:84): avc:  denied  { read } for  pid=842 comm="stratisd" name="dm-6" dev="devtmpfs" ino=23984 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0

Comment 9 aannoaanno 2019-11-08 07:52:25 UTC
Just as a reminder: drckeefe has managed to reproduce the problem: https://github.com/stratis-storage/stratisd/issues/1684

Comment 10 Lukas Vrabec 2019-11-08 15:56:39 UTC
Hi, 

Thank you for the SELinux denials, however there are different than SELinux denial from bug description. I added all the fixes. 

commit 42440b950d4cc6b6b8d547d3c3d11533e5e761fa (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Lukas Vrabec <lvrabec>
Date:   Fri Nov 8 16:55:22 2019 +0100

    Allow stratisd_t domain to read nvme and fixed disk devices
    
    Resolves: rhbz#1770134


Thanks,
Lukas

Comment 11 rekriux 2019-11-15 01:53:45 UTC
I had the same problem, updated to selinux-policy-nightly

Now stratisd will start, but will not be able to create a pool. Other permission issues seems to persist.

See :
https://github.com/stratis-storage/stratisd/issues/1684#issuecomment-554164413

Thanks

Comment 12 Fedora Update System 2019-11-22 16:17:29 UTC
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 13 Fedora Update System 2019-11-23 02:39:16 UTC
selinux-policy-3.14.4-42.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 14 aannoaanno 2019-11-28 19:25:47 UTC
Well, the system suffered from a power unit hardware problem. Sorry for the delayed answer.

Package selinux-policy-3.14.4-42.fc31 works better - but the problem is _not_ gone with it. I now find the following in dmesg:

[   23.565628] audit: type=1130 audit(1574968794.744:64): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-
cryptsetup@luks\x2dstratis\x2dssd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   23.574364] device-mapper: table: 253:11: cache: unknown target type
[   23.574396] audit: type=1400 audit(1574968794.753:65): avc:  denied  { module_request } for  pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[   23.575494] device-mapper: ioctl: error adding target to table
[   23.632232] device-mapper: table: 253:11: cache: unknown target type
[   23.632265] audit: type=1400 audit(1574968794.811:66): avc:  denied  { module_request } for  pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[   23.633468] device-mapper: ioctl: error adding target to table
[   23.637369] audit: type=1130 audit(1574968794.816:67): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
[   23.676220] device-mapper: table: 253:11: cache: unknown target type
[   23.676252] audit: type=1400 audit(1574968794.855:68): avc:  denied  { module_request } for  pid=1058 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
[   23.677704] device-mapper: ioctl: error adding target to table

Comment 15 aannoaanno 2019-11-30 15:55:21 UTC
With the selinux warning browser, I see the following problems with selinux-policy-3.14.4-42.fc31:

* SELinux is preventing mount from 'read' accesses on the blk_file loop1.
Raw Audit Messages
type=AVC msg=audit(1557599764.3:347): avc:  denied  { read } for  pid=5364 comm="mount" name="loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from 'open' accesses on the blk_file /dev/loop1.
Raw Audit Messages
type=AVC msg=audit(1557599764.3:348): avc:  denied  { open } for  pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from 'ioctl' accesses on the blk_file /dev/loop1.
type=AVC msg=audit(1557599764.3:349): avc:  denied  { ioctl } for  pid=5364 comm="mount" path="/dev/loop1" dev="devtmpfs" ino=34913 ioctlcmd=0x4c05 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing mount from read, write access on the chr_file loop-control.
type=AVC msg=audit(1557599764.3:350): avc:  denied  { read write } for  pid=5364 comm="mount" name="loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'open' accesses on the chr_file /dev/loop-control.
type=AVC msg=audit(1557599764.3:351): avc:  denied  { open } for  pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'ioctl' accesses on the chr_file /dev/loop-control.
type=AVC msg=audit(1557599764.3:352): avc:  denied  { ioctl } for  pid=5364 comm="mount" path="/dev/loop-control" dev="devtmpfs" ino=27710 ioctlcmd=0x4c82 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:loop_control_device_t:s0 tclass=chr_file permissive=1

* SELinux is preventing mount from 'write' accesses on the blk_file loop2.
type=AVC msg=audit(1557599764.4:353): avc:  denied  { write } for  pid=5364 comm="mount" name="loop2" dev="devtmpfs" ino=67850 scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

* SELinux is preventing systemd from 'create' accesses on the Verzeichnis recordings.
type=AVC msg=audit(1567538795.411:845): avc:  denied  { create } for  pid=1 comm="systemd" name="recordings" scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir permissive=0

* SELinux is preventing cp from using the 'setfscreate' accesses on a process.
type=AVC msg=audit(1569263071.507:365): avc:  denied  { setfscreate } for  pid=8657 comm="cp" scontext=system_u:system_r:snappy_t:s0 tcontext=system_u:system_r:snappy_t:s0 tclass=process permissive=1

* Process stratisd tried to access system with module_request.
* SELinux is preventing stratisd from 'execute' accesses on the Datei /usr/sbin/pdata_tools.
type=AVC msg=audit(1572608333.230:776): avc:  denied  { execute } for  pid=16969 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

* SELinux is preventing stratisd from 'execute_no_trans' accesses on the Datei /usr/sbin/pdata_tools.
type=AVC msg=audit(1572608333.230:777): avc:  denied  { execute_no_trans } for  pid=16969 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1

* Process thin_check tried to access /usr/sbin/pdata_tools with map.
* Process stratisd tried to write to directory /stratis
* Process stratisd tried to access directory .mdv-093c... with add_name.
* Process stratisd tried to access directory .mdv-093c... with create.
type=AVC msg=audit(1572695079.107:482): avc:  denied  { create } for  pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory .mdv-093c... with mounton.
* Process stratisd tried to access filesystem /.
type=AVC msg=audit(1572695079.135:484): avc:  denied  { mount } for  pid=6651 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access directory 'filesystems' with read.
type=AVC msg=audit(1572695079.136:486): avc:  denied  { read } for  pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory 'filesystems' with open.
* Process stratisd tried to access directory 'filesystems' with getattr.
* Process stratisd tried to access filesystem with unmount.
type=AVC msg=audit(1572695079.136:489): avc:  denied  { unmount } for  pid=6651 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access directory .mdv-093c... with remove_name.
* Process stratisd tried to access directory .mdv-093c... with rmdir.
type=AVC msg=audit(1572695079.220:491): avc:  denied  { rmdir } for  pid=6651 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=134343861 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

* Process stratisd tried to access directory 'filesystems' with search.
type=AVC msg=audit(1572695079.247:492): avc:  denied  { search } for  pid=6651 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1

* Process stratisd tried to access file 1715509...4d.json with read.
type=AVC msg=audit(1572695079.247:493): avc:  denied  { read } for  pid=6651 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1

* Process stratisd tried to access file 1715509...4d.json with open.
* Process stratisd tried to access /mnt/opt with getattr.
type=AVC msg=audit(1572695079.338:495): avc:  denied  { getattr } for  pid=6651 comm="stratisd" name="/" dev="dm-17" ino=2048 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1

* Process stratisd tried to access lnk_file /stratis/stratis_hdd/opt with unlink.
type=AVC msg=audit(1572695079.339:496): avc:  denied  { unlink } for  pid=6651 comm="stratisd" name="opt" dev="dm-4" ino=146941056 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

* Process stratisd tried to access lnk_file /opt with create.
type=AVC msg=audit(1572695079.339:497): avc:  denied  { create } for  pid=6651 comm="stratisd" name="opt" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

* Process systemd tried to access capability2 with mac_admin.
type=AVC msg=audit(1575127332.448:120): avc:  denied  { mac_admin } for  pid=1 comm="systemd" capability=33  scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability2 permissive=1

* Process mandb tried to access directory /var/lib/snapd with search.
type=AVC msg=audit(1575127443.105:355): avc:  denied  { search } for  pid=5298 comm="mandb" name="snapd" dev="dm-4" ino=134536464 scontext=system_u:system_r:mandb_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 trawcon="system_u:object_r:snappy_var_lib_t:s0"

Comment 16 aannoaanno 2019-12-06 09:05:33 UTC
Well, I'm reporter of the 'duplicate' bug https://bugzilla.redhat.com/show_bug.cgi?id=1767773 that I opened on 2019-11-01 11:51:45 UTC. My problem is _still_ _not_ _solved_ in Fedora 31, but I can't see any progress here.

Hence this is my question: Is there still the intend to solve this problem in Fedora 31? Can I provide additional information on the subject?

Comment 17 Fedora Update System 2019-12-06 18:02:36 UTC
FEDORA-2019-fefda9dd5e has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 18 Fedora Update System 2019-12-07 03:38:25 UTC
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e

Comment 19 aannoaanno 2019-12-10 18:52:12 UTC
selinux-policy-3.14.4-43.fc31 does not resolve this issue

Comment 20 Fedora Update System 2019-12-11 02:05:59 UTC
container-selinux-2.123.0-2.fc31, selinux-policy-3.14.4-43.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Comment 21 aannoaanno 2019-12-19 17:21:49 UTC
The problem is still there with selinux-policy-3.14.4-43.fc31, and would like to reopen the bug as I found as I still see the following in /var/log/messages:

Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { module_request } for  pid=836 comm="stratisd" kmod="dm-cache" scontext=system_u:system_r:
stratisd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40
96, logical_block_size=512, alignment_offset=0, start=0
Dec 19 18:10:27 blacksnapper kernel: device-mapper: cache: Origin device (dm-8) discard unsupported: Disabling discard passdown.
Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40
96, logical_block_size=512, alignment_offset=0, start=0
Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40
96, logical_block_size=512, alignment_offset=0, start=0
Dec 19 18:10:27 blacksnapper kernel: device-mapper: table: 253:11: adding target device dm-8 caused an alignment inconsistency: physical_block_size=40
96, logical_block_size=512, alignment_offset=0, start=0
Dec 19 18:10:27 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg.
Dec 19 18:10:27 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cry
ptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc:  denied  { execute } for  pid=1419 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scon
text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc:  denied  { execute_no_trans } for  pid=1419 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4"
 ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec 19 18:10:27 blacksnapper audit[1419]: AVC avc:  denied  { map } for  pid=1419 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329
307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { write } for  pid=836 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u
:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { add_name } for  pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scon
text=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { create } for  pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" sconte
xt=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { mounton } for  pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa
58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { mount } for  pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { search } for  pid=836 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { read } for  pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { open } for  pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { getattr } for  pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { unmount } for  pid=836 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { remove_name } for  pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { rmdir } for  pid=836 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=864 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Ending clean mount
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { search } for  pid=836 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { read } for  pid=836 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { open } for  pid=836 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Dec 19 18:10:27 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Dec 19 18:10:27 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Dec 19 18:10:27 blacksnapper stratisd[836]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 13
Dec 19 18:10:27 blacksnapper audit[836]: AVC avc:  denied  { create } for  pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
Dec 19 18:10:27 blacksnapper kernel: kauditd_printk_skb: 67 callbacks suppressed
Dec 19 18:10:27 blacksnapper kernel: audit: type=1400 audit(1576775427.680:76): avc:  denied  { create } for  pid=836 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
Dec 19 18:10:27 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d.

I also voted against the 'fix' at https://bodhi.fedoraproject.org/updates/FEDORA-2019-fefda9dd5e .


Note You need to log in before you can comment on or make changes to this bug.