Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

systemd-cryptsetup-generator permission denied on boot #1425

Open
Georift opened this issue Jun 23, 2024 · 9 comments
Open

systemd-cryptsetup-generator permission denied on boot #1425

Georift opened this issue Jun 23, 2024 · 9 comments

Comments

@Georift
Copy link

Georift commented Jun 23, 2024
edited
Loading

Describe the bug

When I boot my bluefin system and login I'm dropped into an environment without my home directory mounted.

Opening terminals and applications fail as /home/tim isn't present.

What did you expect to happen?

/home/<user> to be present and everything to boot normally.

Output of rpm-ostree status

The earlier pinned version was working correctly, no issues with mounting on boot.

~ rpm-ostree status
State: idle
AutomaticUpdates: stage; rpm-ostreed-automatic.timer: last run 19min ago
Deployments:
  ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:latest
                   Digest: sha256:a1adf996664c0a79d07b0611b9b45e81ceb1be8c02056ea355054a572e24fa7b
                  Version: 40.20240622.0 (2024-06-23T01:13:53Z)
                     Diff: 45 upgraded, 2 added

● ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:latest
                   Digest: sha256:326e4a33d701be28ab461ee689cbda54bd02f3b9ab348a53ace08978c8fcb205
                  Version: 40.20240620.0 (2024-06-21T16:54:44Z)

  ostree-image-signed:docker://ghcr.io/ublue-os/bluefin-dx-nvidia:latest
                   Digest: sha256:8e8f20a0114655c97b45c1e1ce3dbe59dcb0837b10b19b74336525432fd62d3b
                  Version: 40.20240608.0 (2024-06-09T04:14:02Z)
                   Pinned: yes

Output of groups

tim wheel lxd incus-admin libvirt docker

Extra information or context

systemd-cryptsetup-generator failing to run

    0 [   42.114658] audit: type=1400 audit(1719068040.803:4): avc:  denied  { search } for  pid=948 comm="systemd-cryptse" name="de      v-mapper-luks\x2df6961bfa\x2de1db\x2d424c\x2db69b\x2dd1f8d0a49583.device.d" dev="tmpfs" ino=1043 scontext=system_u:system_r:sy      stemd_cryptsetup_generator_t:s0 tcontext=system_u:object_r:systemd_fstab_generator_unit_file_t:s0 tclass=dir permissive=0
    1 [   42.114690] systemd-cryptsetup-generator[948]: Failed to write device timeout drop-in: Permission denied
    2 [   42.115645] audit: type=1400 audit(1719068040.804:5): avc:  denied  { create } for  pid=950 comm="systemd-fstab-g" name=".#      50-device-timeout.conf03c1a89bf28725cb" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:sys      temd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=0

May be unrelated, but a flow on kernel error:

[   47.337726] ------------[ cut here ]------------
[   47.337733] Unpatched return thunk in use. This should not happen!
[   47.337737] WARNING: CPU: 3 PID: 1107 at arch/x86/kernel/cpu/bugs.c:3023 __warn_thunk 0x2a/0x40
[   47.337745] Modules linked in: wl(POE ) r8153_ecm( ) snd_hda_codec_generic ac97_bus cdc_ether snd_pcm_dmaengine kvm( ) snd_hda_scodec_component usbnet snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec rapl intel_cstate snd_hda_core intel_uncore snd_hwdep snd_seq snd_seq_device iwlmvm r8152 dell_wmi dell_wmi_sysman( ) mii pcspkr snd_pcm btusb firmware_attributes_class mac80211 btrtl dell_smbios intel_wmi_thunderbolt dcdbas dell_wmi_descriptor libarc4 snd_timer btintel wmi_bmof snd iwlwifi btbcm i2c_i801 i2c_smbus soundcore btmtk spi_intel_pci spi_intel sunrpc bluetooth thunderbolt uvcvideo mei_me cdc_acm uvc videobuf2_vmalloc mei videobuf2_memops videobuf2_v4l2 videobuf2_common idma64 processor_thermal_device_pci_legacy processor_thermal_device processor_thermal_wt_hint processor_thermal_rfim processor_thermal_rapl intel_rapl_common processor_thermal_wt_req processor_thermal_power_floor processor_thermal_mbox intel_soc_dts_iosf intel_pch_thermal int3403_thermal int340x_thermal_zone dell_smo8800
[   47.337834]  binfmt_misc intel_pmc_core intel_vsec int3400_thermal intel_hid sparse_keymap pmt_telemetry acpi_thermal_rel pmt_class vfat fat acpi_pad joydev razermouse(OE) brcmfmac brcmutil cfg80211 rfkill scsi_dh_rdac scsi_dh_emc scsi_dh_alua kvmfr(OE) loop dm_multipath nfnetlink zram dm_crypt typec_displayport i915 drm_buddy i2c_algo_bit rtsx_pci_sdmmc drm_display_helper crct10dif_pclmul crc32_pclmul crc32c_intel polyval_clmulni nvme polyval_generic mmc_core nvme_core ghash_clmulni_intel cec sha512_ssse3 sha256_ssse3 hid_multitouch ucsi_acpi typec_ucsi sha1_ssse3 nvme_auth rtsx_pci ttm typec i2c_hid_acpi i2c_hid pinctrl_cannonlake serio_raw uas usb_storage mxm_wmi nvidia_drm(POE) nvidia_modeset(POE) video wmi nvidia_uvm(POE) nvidia(POE) v4l2loopback(OE) videodev mc ip6_tables ip_tables fuse i2c_dev
[   47.337903] CPU: 3 PID: 1107 Comm: (udev-worker) Tainted: P           OE      6.9.4-200.fc40.x86_64 #1
[   47.337907] Hardware name: Dell Inc. XPS 15 7590/0VYV0G, BIOS 1.27.0 02/01/2024
[   47.337909] RIP: 0010:__warn_thunk 0x2a/0x40
[   47.337913] Code: 66 0f 1f 00 0f 1f 44 00 00 80 3d 01 18 77 02 00 74 05 c3 cc cc cc cc 48 c7 c7 f8 79 b3 8d c6 05 ec 17 77 02 01 e8 f6 46 0c 00 <0f> 0b c3 cc cc cc cc 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00
[   47.337916] RSP: 0000:ffffb304409e7948 EFLAGS: 00010286
[   47.337919] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000027
[   47.337921] RDX: ffff919b2c3a18c8 RSI: 0000000000000001 RDI: ffff919b2c3a18c0
[   47.337923] RBP: ffffb304409e7998 R08: 0000000000000000 R09: 6820746f6e20646c
[   47.337924] R10: 746f6e20646c756f R11: 216e657070616820 R12: ffffffffc643bbb8
[   47.337926] R13: ffffb304409e79e0 R14: 00007f40bbfc007d R15: ffffb304409e7a70
[   47.337928] FS:  00007f40bb4e3980(0000) GS:ffff919b2c380000(0000) knlGS:0000000000000000
[   47.337930] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   47.337932] CR2: 00007f27e6d9f000 CR3: 000000011470e004 CR4: 00000000003706f0
[   47.337934] Call Trace:
[   47.337938]  <TASK>
[   47.337940]  ? __warn_thunk 0x2a/0x40
[   47.337943]  ? __warn.cold 0x8e/0xe8
[   47.337949]  ? __warn_thunk 0x2a/0x40
[   47.337980]  ? report_bug 0xff/0x140
[   47.337997]  ? console_unlock 0x84/0x130
[   47.338003]  ? handle_bug 0x3c/0x80
[   47.338009]  ? exc_invalid_op 0x17/0x70
[   47.338012]  ? asm_exc_invalid_op 0x1a/0x20
[   47.338019]  ? __warn_thunk 0x2a/0x40
[   47.338022]  ? __warn_thunk 0x2a/0x40
[   47.338023]  warn_thunk_thunk 0x1a/0x30
[   47.338028]  getvar 0x20/0x70 [wl]
[   47.338135]  ? __UNIQUE_ID_vermagic434 0x4cfb7e9b5ebc/0x4cfb7e9b5ebc [wl]
[   47.338186]  wl_module_init 0x17/0xa0 [wl]
[   47.338279]  ? do_one_initcall 0x58/0x310
[   47.338286]  ? do_init_module 0x90/0x250
[   47.338291]  ? __do_sys_init_module 0x17a/0x1b0
[   47.338297]  ? do_syscall_64 0x82/0x160
[   47.338300]  ? get_page_from_freelist 0x5f8/0x1bc0
[   47.338310]  ? __alloc_pages 0x182/0x350
[   47.338314]  ? __mod_memcg_lruvec_state 0xc2/0x180
[   47.338319]  ? __lruvec_stat_mod_folio 0x68/0xa0
[   47.338322]  ? set_ptes.isra.0 0x28/0x90
[   47.338327]  ? do_anonymous_page 0x410/0x770
[   47.338330]  ? __pte_offset_map 0x10/0x180
[   47.338335]  ? __handle_mm_fault 0xc61/0xe10
[   47.338339]  ? sched_clock 0x10/0x30
[   47.338345]  ? __count_memcg_events 0x69/0x100
[   47.338349]  ? count_memcg_events.constprop.0 0x1a/0x30
[   47.338352]  ? handle_mm_fault 0x1f0/0x300
[   47.338356]  ? do_user_addr_fault 0x34e/0x620
[   47.338368]  ? exc_page_fault 0x7e/0x180
[   47.338372]  ? entry_SYSCALL_64_after_hwframe 0x76/0x7e
[   47.338376]  </TASK>
[   47.338378] ---[ end trace 0000000000000000 ]---
@m2Giles
Copy link
Member

m2Giles commented Jun 23, 2024

Cryptsetup was recently updated; however, I haven't seen your behavior. Please check the file context for systemd-cryptsetup.

ls -lZ /usr/bin/systemd-cryptsetup

That said, that is on the image and it would be unlikely that is the cause of the issue.

Are you able to boot sucessfully with permissive mode enabled?

@Georift
Copy link
Author

Georift commented Jun 23, 2024
edited
Loading

Please check the file context for systemd-cryptsetup.

~ ls -lZ /usr/bin/systemd-cryptsetup
-rwxr-xr-x. 4 root root system_u:object_r:bin_t:s0 95112 Jan  1  1970 /usr/bin/systemd-cryptsetup

Are you able to boot sucessfully with permissive mode enabled?

I'm not sure, I don't know exactly how to enable that, but I'll track it down and give it a try.

@Georift
Copy link
Author

Georift commented Jun 23, 2024

Attempting now to set SELINUX=permissive in /etc/selinux/config.

@Georift
Copy link
Author

Georift commented Jun 23, 2024

It now boots successfully after the change just mentioned. I'll revert it now just to be sure.

@Georift
Copy link
Author

Georift commented Jun 23, 2024

Yep, reverting it to SELINUX=enforcing causes the issue to return. I'll try pull any SELinux related logs I can and dump them here shortly.

@Georift
Copy link
Author

Georift commented Jun 23, 2024
edited
Loading

With permissive enabled I get the following fstab related audit errors:

Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:3): avc:  denied  { create } for  pid=911 comm="systemd-fstab-g" name=".#50-device-timeout.conf97ed252054a39cd0" scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:4): avc:  denied  { read write open } for  pid=911 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2df6961bfa\x2de1db\x2d424c\x2db69b\x2dd1f8d0a49583.device.d/.#50-device-timeout.conf97ed252054a39cd0" dev="tmpfs" ino=831 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:5): avc:  denied  { getattr } for  pid=911 comm="systemd-fstab-g" path="/run/systemd/generator/dev-mapper-luks\x2df6961bfa\x2de1db\x2d424c\x2db69b\x2dd1f8d0a49583.device.d/.#50-device-timeout.conf97ed252054a39cd0" dev="tmpfs" ino=831 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:6): avc:  denied  { setattr } for  pid=911 comm="systemd-fstab-g" name=".#50-device-timeout.conf97ed252054a39cd0" dev="tmpfs" ino=831 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:7): avc:  denied  { remove_name } for  pid=911 comm="systemd-fstab-g" name=".#50-device-timeout.conf97ed252054a39cd0" dev="tmpfs" ino=831 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=dir permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.732:8): avc:  denied  { rename } for  pid=911 comm="systemd-fstab-g" name=".#50-device-timeout.conf97ed252054a39cd0" dev="tmpfs" ino=831 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=file permissive=1
Jun 23 16:57:04 dredd kernel: audit: type=1400 audit(1719133023.735:9): avc:  denied  { remove_name } for  pid=911 comm="systemd-fstab-g" name=".#50-device-timeout.conff7105f97f83a6f27" dev="tmpfs" ino=839 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 tclass=dir permissive=1

the directory I believe it's accessing has the following labels:

➜  dev-mapper-luks\x2de28120fb\x2d3882\x2d41f3\x2dbc02\x2d35f61ce2ad78.device.d ls -lZ                                                           
total 8
-rw-r--r--. 1 root root system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0  89 Jun 23 16:57 40-device-timeout.conf
-rw-r--r--. 1 root root system_u:object_r:systemd_cryptsetup_generator_unit_file_t:s0 146 Jun 23 16:57 50-device-timeout.conf

@Georift
Copy link
Author

Georift commented Jun 23, 2024

After running the logs through the audit2allow I get the following module:

module system-fstab-generator.local 1.0;

require {
	type systemd_fstab_generator_t;
	type systemd_cryptsetup_generator_unit_file_t;
	class file { create getattr open read rename setattr write };
	class dir remove_name;
}

#============= systemd_fstab_generator_t ==============
allow systemd_fstab_generator_t systemd_cryptsetup_generator_unit_file_t:dir remove_name;
allow systemd_fstab_generator_t systemd_cryptsetup_generator_unit_file_t:file { create getattr open read rename setattr write };

After applying it the system seems to be working well now. Guess now just to work out if this issue belongs at silverblue or elsewhere?

@m2Giles
Copy link
Member

m2Giles commented Jun 23, 2024

Please post this on silverblues tracker. Both of those generators are from silverblue/fedora and it's odd that they required a new policy.

@m2Giles
Copy link
Member

m2Giles commented Jun 23, 2024

So I do not have any dropin directories for my luks disk like you are showing.

dev-mapper-luks-lux\x2.... should be generated from cryptsetup-generator. Where are those two dropin files being created?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Georift @m2Giles