Bug 1794645 - stratisd does not work under selinux-policy
Summary: stratisd does not work under selinux-policy
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 31
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1767743 (view as bug list)
Depends On:
Blocks: 1767743
TreeView+ depends on / blocked
 
Reported: 2020-01-24 08:29 UTC by aannoaanno
Modified: 2020-02-14 15:12 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.14.4-45.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-02-01 01:30:44 UTC
Type: Bug

Attachments (Terms of Use)
/var/log/messages (61.08 KB, application/gzip)
2020-01-24 08:38 UTC, aannoaanno 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

Description aannoaanno 2020-01-24 08:29:11 UTC 
Description of problem:
stratisd does not work under selinux-policy

Version-Release number of selected component (if applicable):
selinux-policy-3.14.4-44.fc31.noarch

How reproducible:
always

Steps to Reproduce:
See https://github.com/stratis-storage/stratisd/issues/1684 how to reproduce the problem

Actual results:
With selinux enabled, stratisd is unable to mount stratisd managed disks while booting. Hence was forced to switch to 'permissive mode' to get my system usable again _3 months ago_.

Expected results:
With selinux enforced, stratisd is able to mount stratisd managed disks while booting.

Additional info:
Also see https://bugzilla.redhat.com/show_bug.cgi?id=1767743 and related bugs
Comment 1 aannoaanno 2020-01-24 08:33:28 UTC 
Currently I find the following selinux policy constraints violated in /var/log/messages:

Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { remove_name } for  pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { unlink } for  pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1
Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc:  denied  { rmdir } for  pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1

...

Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { execute } for  pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { execute_no_trans } for  pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { execute } for  pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { execute_no_trans } for  pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc:  denied  { map } for  pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc:  denied  { map } for  pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1
Jan 24 09:12:47 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg.
Jan 24 09:12:47 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 24 09:12:47 blacksnapper kernel: audit: type=1130 audit(1579853567.954:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { add_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { write } for  pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { add_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc:  denied  { create } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { create } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { mounton } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc:  denied  { mounton } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount
Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff)
Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc:  denied  { mount } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { mount } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { search } for  pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { read } for  pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { open } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { getattr } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { unmount } for  pid=2003 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { remove_name } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { rmdir } for  pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount
Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff)
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { search } for  pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { read } for  pid=2003 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { open } for  pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1
Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded.
Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc:  denied  { create } for  pid=2003 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1

Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d.
Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/fb19a29e-ab39-4b41-8d37-0dc6d222a2b9.
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Jan 24 09:12:49 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Comment 2 aannoaanno 2020-01-24 08:38:53 UTC 
Created attachment 1654974 [details]
/var/log/messages
Comment 3 Lukas Vrabec 2020-01-24 11:56:28 UTC 
This issue should be fixed with next selinux-policy build.
Comment 4 Fedora Update System 2020-01-31 01:28:40 UTC 
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
Comment 5 Fedora Update System 2020-02-01 01:30:44 UTC 
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
Comment 6 aannoaanno 2020-02-01 09:47:03 UTC 
I was just able to verify that https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17 (selinux-policy-3.14.4-45.fc31) fixes the problem. Thank you for support!
Comment 7 aannoaanno 2020-02-14 15:12:42 UTC 
*** Bug 1767743 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.