When attempting to use fido-device-onboard(FDO) in Fedora 38/39, disk re-encryption fails with: Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 2023-10-19T16:21:58.175Z INFO fdo_client_linuxapp::serviceinfo > Initiating disk re-encryption, disk-label: /dev/vda3, pin: tpm2, config: {}, reencrypt: true Oct 19 16:21:58 fedora-39-iot-custom audit[1488]: AVC avc: denied { search } for pid=1488 comm="pwmake" name="cracklib" dev="dm-1" ino=164196 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0 Oct 19 16:21:58 fedora-39-iot-custom audit[1488]: SYSCALL arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d8e1000 a2=0 a3=0 items=0 ppid=1477 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="/usr/bin/pwmake" subj=system_u:> Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 2023-10-19T16:21:58.256Z ERROR fdo_client_linuxapp > ServiceInfo failed, error: Error processing returned serviceinfo Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Caused by: Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 0: Error executing clevis Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 1: Error executing disk encryption for disk label /dev/vda3 Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 2: Error rebinding clevis Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 3: Error binding clevis Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: 4: Failed to bind clevis: ExitStatus(unix_wait_status(256)), stdout: , stderr: Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: /usr/share/cracklib/pw_dict.pwd.gz: Permission denied Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Error: Password generation failed - required entropy too low for settings Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Unable to generate a new key Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Error adding new binding to /dev/vda3 Oct 19 16:21:58 fedora-39-iot-custom fdo-client-linuxapp[1232]: Oct 19 16:21:58 fedora-39-iot-custom kernel: audit: type=1400 audit(1697732518.253:194): avc: denied { search } for pid=1488 comm="pwmake" name="cracklib" dev="dm-1" ino=164196 scontext=system_u:system_r:fdo_t:s0 tcontext=system_u:object_r:crack_db_t:s0 tclass=dir permissive=0 Oct 19 16:21:58 fedora-39-iot-custom kernel: audit: type=1300 audit(1697732518.253:194): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=7ffd0d8e1000 a2=0 a3=0 items=0 ppid=1477 pid=1488 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="pwmake" exe="> Reproducible: Always Steps to Reproduce: 1. Create a simplified-installer including clevis disk re-encryption 2. Install new system, on reboot disk re-encryption fails.
So looking at that log and breaking it down a little it looks like FDO, possibly through clevis, calls /usr/bin/pwmake (part of libpwquality) which links to libcrack which accesses the dictionaries. I wonder if we can break this issue down a little more and work out the exact way the binaries are called and if it's pwmake being selinux denied on it's own, or fdo/clevis's access to call pwmake etc.
Can you please try to reproduce with the following local module? # cat local_fdo_crackdb.cil (allow fdo_t crack_db_t (dir (getattr search open))) (allow fdo_t crack_db_t (file (getattr open read ioctl lock))) # semodule -i local_fdo_crackdb.cil
pwmake is not SELinux confined, so it runs in the caller domain f39# ls -lZ /usr/bin/pwmake -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 15912 Jul 19 20:00 /usr/bin/pwmake
(In reply to Zdenek Pytela from comment #2) > Can you please try to reproduce with the following local module? > # cat local_fdo_crackdb.cil > (allow fdo_t crack_db_t (dir (getattr search open))) > (allow fdo_t crack_db_t (file (getattr open read ioctl lock))) > > # semodule -i local_fdo_crackdb.cil Thanks, Zdenek. Using that local module FDO re-encryption worked as expected.
OK, merging the PR.
FEDORA-2023-a2dacfbdcb has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2dacfbdcb
FEDORA-2023-a2dacfbdcb has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-a2dacfbdcb` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-a2dacfbdcb See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Verified this bug with build https://koji.fedoraproject.org/koji/buildinfo?buildID=2320649, fixed, the fdo re-encryption works as expected.
Thanks again, Zdenek. Could we also get this added to Fedora 38?
I can do that. https://github.com/fedora-selinux/selinux-policy/pull/1944
FEDORA-2023-a2dacfbdcb has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.