Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SELinux breaks block backend on Fedora 38-based qube #8155

Closed
marmarek opened this issue Apr 28, 2023 · 1 comment · Fixed by QubesOS/qubes-core-agent-linux#419
Closed

SELinux breaks block backend on Fedora 38-based qube #8155

marmarek opened this issue Apr 28, 2023 · 1 comment · Fixed by QubesOS/qubes-core-agent-linux#419
Assignees
@DemiMarie
Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Fedora diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Milestone
Release 4.2

Comments

@marmarek
Copy link
Member

marmarek commented Apr 28, 2023
edited
Loading

How to file a helpful issue

Qubes OS release

R4.2

Brief summary

SELinux in enforcing mode prevents block backend from working (attaching a block device exposed by such qube)

Steps to reproduce

In a qube:

  1. truncate -s 50M test.img
  2. losetup -f test.img

And then attach created loop device. I assume the same happens for USB sticks in sys-usb etc.

Expected behavior

Works.

Actual behavior

avc:  denied  { read write } for  pid=1470 comm="qubes-block" name="loop0" dev="devtmpfs" ino=805 scontext=system_u:system_r:xend_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { open } for  pid=1470 comm="qubes-block" path="/dev/loop0" dev="devtmpfs" ino=805 scontext=system_u:system_r:xend_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1
avc:  denied  { ioctl } for  pid=1470 comm="qubes-block" path="/dev/loop0" dev="devtmpfs" ino=805 ioctlcmd=0x1280 scontext=system_u:system_r:xend_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=1

(enabled permissive mode to collect more logs, but normally the first failure breaks the thing).
@marmarek marmarek added T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists. C: Fedora P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. labels Apr 28, 2023
@marmarek marmarek added this to the Release 4.2 milestone Apr 28, 2023
@marmarek
Copy link
Member Author

I assume the same breaks on Fedora 37 too.

@DemiMarie DemiMarie self-assigned this Apr 28, 2023
@andrewdavidwong andrewdavidwong added the needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. label Apr 28, 2023
@DemiMarie DemiMarie mentioned this issue Apr 30, 2023
Merged
Closed
@andrewdavidwong andrewdavidwong added diagnosed Technical diagnosis has been performed (see issue comments). pr submitted A pull request has been submitted for this issue. and removed needs diagnosis Requires technical diagnosis from developer. Replace with "diagnosed" or remove if otherwise closed. labels May 7, 2023
@andrewdavidwong andrewdavidwong added the affects-4.2 This issue affects Qubes OS 4.2. label Aug 8, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DemiMarie DemiMarie

Labels
affects-4.2 This issue affects Qubes OS 4.2. C: Fedora diagnosed Technical diagnosis has been performed (see issue comments). P: default Priority: default. Default priority for new issues, to be replaced given sufficient information. pr submitted A pull request has been submitted for this issue. T: bug Type: bug report. A problem or defect resulting in unintended behavior in something that exists.
Projects
None yet
Milestone
Release 4.2
Development

Successfully merging a pull request may close this issue.

Xen hotplug scripts should be initrc_exec_t DemiMarie/qubes-core-agent-linux
3 participants
@marmarek @DemiMarie @andrewdavidwong