Potential SELinux issue

[jbaublitz]

trafficstars

@bleve Following up on our IRC conversation.

From your boot logs, I saw some SELinux deny errors when you put Stratis on top of md similar to something @drckeefe saw. I'm not convinced the device node for the filesystem is disappearing during boot. I think instead it's actually getting blocked by SELinux. Can you try disabling SELinux first, and then report back on whether that resolves the problem?

If it does, we'll have to work on updating our SELinux rules for md-raid.

[bleve]

Issue is not only on boot, it also happens when modmonitor monitors raid.

These seem to fix the issue. Idea behind this interface and blocking access is that md raid can't ever be running on stratis devices.

Adding this new interface to stratisd.if

########################################
## <summary>
##     Dontaudit searching stratisd data directories
## </summary>
## <param name="domain">
##     <summary>
##     Domain denied access.
##     </summary>
## </param>
#
interface(`stratisd_dontaudit_data_directory_search',`
       gen_require(`
               type stratisd_data_t;
       ')

       dontaudit $1 stratisd_data_t:dir search_dir_perms;
       dontaudit $1 stratisd_data_t:lnk_file read_lnk_file_perms;
')

And using this new interface in raid.te

optional_policy(`
       stratisd_dontaudit_data_directory_search(mdadm_t)
')

[bleve]

Here is full list of avcs.

type=AVC msg=audit(1664652371.462:14): avc:  denied  { getattr } for  pid=1787 comm="mdadm" path="/dev/stratis" dev="devtmpfs" ino=1067 scontext=system_u:system_r:mdad
m_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1664652371.462:15): avc:  denied  { read } for  pid=1787 comm="mdadm" name="stratis" dev="devtmpfs" ino=1067 scontext=system_u:system_r:mdadm_t:s0 t
context=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1664652371.462:15): avc:  denied  { open } for  pid=1787 comm="mdadm" path="/dev/stratis" dev="devtmpfs" ino=1067 scontext=system_u:system_r:mdadm_t
:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1664652371.462:16): avc:  denied  { search } for  pid=1787 comm="mdadm" name="stratis" dev="devtmpfs" ino=1067 scontext=system_u:system_r:mdadm_t:s0
 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1664652371.462:17): avc:  denied  { getattr } for  pid=1787 comm="mdadm" path="/dev/stratis/risa/20220922-0000-snap-home" dev="devtmpfs" ino=2185 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1
type=AVC msg=audit(1664652371.462:18): avc:  denied  { read } for  pid=1787 comm="mdadm" name="20220922-0000-snap-home" dev="devtmpfs" ino=2185 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:stratisd_data_t:s0 tclass=lnk_file permissive=1

[jbaublitz]

@bleve Does disabling SELinux or updating the policy solve the issue of the block device being inaccessible at boot? Have you tried it?

[bleve]

Update the policy to which version?

[bleve]

Selinux issue doesn't prevent boot. It is cosmetic only like my selinux rules show.

[jbaublitz]

I think we can close this for now.