Description of problem: stratisd does not work under selinux-policy Version-Release number of selected component (if applicable): selinux-policy-3.14.4-44.fc31.noarch How reproducible: always Steps to Reproduce: See https://github.com/stratis-storage/stratisd/issues/1684 how to reproduce the problem Actual results: With selinux enabled, stratisd is unable to mount stratisd managed disks while booting. Hence was forced to switch to 'permissive mode' to get my system usable again _3 months ago_. Expected results: With selinux enforced, stratisd is able to mount stratisd managed disks while booting. Additional info: Also see https://bugzilla.redhat.com/show_bug.cgi?id=1767743 and related bugs
Currently I find the following selinux policy constraints violated in /var/log/messages: Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { write } for pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { remove_name } for pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { unlink } for pid=2003 comm="stratisd" name="home" dev="dm-4" ino=137037796 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Jan 24 09:12:39 blacksnapper audit[2003]: AVC avc: denied { rmdir } for pid=2003 comm="stratisd" name="stratis_hdd" dev="dm-4" ino=137037795 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 ... Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { execute } for pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { execute_no_trans } for pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { execute } for pid=2921 comm="stratisd" name="pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { execute_no_trans } for pid=2921 comm="stratisd" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper kernel: audit: type=1400 audit(1579853567.915:65): avc: denied { map } for pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper audit[2921]: AVC avc: denied { map } for pid=2921 comm="thin_check" path="/usr/sbin/pdata_tools" dev="dm-4" ino=201329307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 Jan 24 09:12:47 blacksnapper systemd[1]: Started Cryptography Setup for luks-stratis-hdd-vg. Jan 24 09:12:47 blacksnapper audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 24 09:12:47 blacksnapper kernel: audit: type=1130 audit(1579853567.954:66): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-cryptsetup@luks\x2dstratis\x2dhdd\x2dvg comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { write } for pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { add_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { write } for pid=2003 comm="stratisd" name="stratis" dev="dm-4" ino=2307 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { add_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.031:67): avc: denied { create } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { create } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { mounton } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc: denied { mounton } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff) Jan 24 09:12:48 blacksnapper kernel: audit: type=1400 audit(1579853568.032:68): avc: denied { mount } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { mount } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { search } for pid=2003 comm="stratisd" name="/" dev="dm-15" ino=12992 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { read } for pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { open } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { getattr } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { unmount } for pid=2003 comm="stratisd" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { remove_name } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { rmdir } for pid=2003 comm="stratisd" name=".mdv-093c8d4221b846a2a7e85d35f458fa58" dev="dm-4" ino=45169 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Mounting V5 Filesystem Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Ending clean mount Jan 24 09:12:48 blacksnapper kernel: xfs filesystem being mounted at /stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58 supports timestamps until 2038 (0x7fffffff) Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { search } for pid=2003 comm="stratisd" name="filesystems" dev="dm-15" ino=12995 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { read } for pid=2003 comm="stratisd" name="17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { open } for pid=2003 comm="stratisd" path="/stratis/.mdv-093c8d4221b846a2a7e85d35f458fa58/filesystems/17155095e2254fb0b020ec2ffa6a5e4d.json" dev="dm-15" ino=12996 scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: stratis-.mdv\x2d093c8d4221b846a2a7e85d35f458fa58.mount: Succeeded. Jan 24 09:12:48 blacksnapper kernel: XFS (dm-15): Unmounting Filesystem Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper audit[2003]: AVC avc: denied { create } for pid=2003 comm="stratisd" name="home" scontext=system_u:system_r:stratisd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=lnk_file permissive=1 Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/17155095-e225-4fb0-b020-ec2ffa6a5e4d. Jan 24 09:12:48 blacksnapper systemd[1]: Found device /dev/disk/by-uuid/fb19a29e-ab39-4b41-8d37-0dc6d222a2b9. Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: INFO libstratis::engine::strat_engine::thinpool::thinpool: Data tier percent used: 14 Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:48 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available Jan 24 09:12:49 blacksnapper stratisd[2003]: WARN stratisd: D-Bus API is not available
Created attachment 1654974 [details] /var/log/messages
This issue should be fixed with next selinux-policy build.
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17
selinux-policy-3.14.4-45.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.
I was just able to verify that https://bodhi.fedoraproject.org/updates/FEDORA-2020-bb42099a17 (selinux-policy-3.14.4-45.fc31) fixes the problem. Thank you for support!
*** Bug 1767743 has been marked as a duplicate of this bug. ***