Sorry, I do not know how to fix that.
I encountered the discard issue on Fedora Workstation 37, but setting up custom SELinux policies was successful. Maybe try F37.
Hi Arturas
f37 works for me, thanks!
Did you try building the module from a toolbox container?
No. I installed f39 on a machine and did the tests directly there
Hi all.
Upgraded ny MBP with homed-managed user, re-applied custom policy, but still unable to activate the user.
SELinux Troubleshooter says this:
You should report this as a bug.
You can generate a local policy module to allow this access.
Allow this access for now by executing:# ausearch -c 'systemd-homewor' --raw | audit2allow -M my-systemdhomewor # semodule -X 300 -i my-systemdhomewor.pp
New custom policy required ?
Check if the module is loaded
sudo semanage module -l | grep homed
Got this:
homed 400 pp
my-systemdhomed 300 pp
It seems you have two policies for homed. Is one your custom policy? Are both policies identical?
I will check that, but both of those existed in the F37 causing no issues … This issue appeared after upgrade to F38. I upgraded to F38 while logged in with homed-managed user.
Raw Audit Messages
type=AVC msg=audit(1682445078.738:327): avc: denied { getattr } for pid=6876 comm="systemd-homewor" path="/run/udev/data/b7:0" dev="tmpfs" ino=2832 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Hash: systemd-homewor,systemd_homework_t,udev_var_run_t,file,getattr
This denial is not allowed in the current policy. What was the process to get this error?
What was the process to get this error?
sudo homectl activate <my homed user>
There were more errors, mostly I/O. As I upgraded Fedora while I was logged in with my homed user, maybe upgrade process has interrupted some I/O, which in turn resulted into damaged loop file. I deleted my homed user (it was created for experimenting with homed) and tried to create new using exactly same command, but now I get new error:
21:47:28 systemd-homed: Operation on failed: Invalid argument
21:47:28 kernel: I/O error, dev loop0, sector 0 op 0x0:(READ) flags 0x800 phys_seg 1 prio class 2
21:47:28 systemd-homewor: Failed to set up LUKS password for slot 0: Invalid argument
21:47:23 systemd-homed: Operation on failed: Wrong medium type
On F37 same command created fully functional homed-managed user 
systemd_homework_t should be in permissive mode, so it should of been allowed but still logged in the journal.
I just ran
journalctl -b -g avc | grep systemd_homework_t
Apr 21 14:14:16 fedora audit[195296]: AVC avc: denied { read } for pid=195296 comm="systemd-homewor" name="b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:16 fedora audit[195296]: AVC avc: denied { open } for pid=195296 comm="systemd-homewor" path="/run/udev/data/b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:16 fedora audit[195296]: AVC avc: denied { getattr } for pid=195296 comm="systemd-homewor" path="/run/udev/data/b8:17" dev="tmpfs" ino=1169 scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
Apr 21 14:14:17 fedora audit[195296]: AVC avc: denied { create } for pid=195296 comm="systemd-homewor" scontext=system_u:system_r:systemd_homework_t:s0 tcontext=system_u:system_r:systemd_homework_t:s0 tclass=user_namespace permissive=1
systemd-homed got updated. I see I have some new rules to add.
What does your journal say about selinux avc denials?
journalctl -b -g 'selinux: avc:'
Apologies, I was stupid and impatient - deleted my homed user with the hope to re-create it without errors, but got new ones instead. This means I cannot check avc denials on old user (deleted) and on new as well (cannot create it yet).
The journal does not erase history of old users.
instead of the -b flag above, use the --since flag. Lets say for example an hour ago
journalctl --since ' 1 hour ago' | grep 'selinux: avc:'
Or the time more specifically when you tried logging in or deleted the user.
journalctl --since ' 10:30' | grep 'selinux: avc:'
Sure, makes sense.
This is what I get for last 24 hours:
Apr 25 20:51:26 mbp-fedora systemd[2329]: selinux: avc: op=load_policy lsm=selinux seqno=2 res=1
You can try to see what went wrong with this command below
journalctl --since '3 days ago' | grep 'systemd-homed\| systemd-homework'
Apr 27 13:02:55 mbp-fedora systemd-homed[4683]: arturasbar: changing state absent → creating
Apr 27 13:02:55 mbp-fedora systemd-homed[4683]: Operation on arturasbar failed: Wrong medium type
Apr 27 13:02:55 mbp-fedora systemd-homed[4683]: arturasbar: changing state absent → creating
Apr 27 13:02:55 mbp-fedora systemd-homework[9346]: Asking FIDO2 token for authentication.
Apr 27 13:02:55 mbp-fedora systemd-homework[9346]: Please confirm presence on security token to unlock.
Apr 27 13:02:57 mbp-fedora systemd-homework[9346]: Allocating image file completed.
Apr 27 13:02:57 mbp-fedora systemd-homework[9346]: Writing of partition table completed.
Apr 27 13:02:57 mbp-fedora systemd-homework[9346]: Setting up loopback device /dev/loop0 completed.
Apr 27 13:02:59 mbp-fedora systemd-homework[9346]: LUKS formatting completed.
Apr 27 13:03:00 mbp-fedora systemd-homework[9346]: Detected attempt for concurrent LUKS2 metadata update. Aborting operation.
Apr 27 13:03:00 mbp-fedora systemd-homework[9346]: Failed to set up LUKS password for slot 0: Invalid argument
Apr 27 13:03:00 mbp-fedora systemd-homed[4683]: Operation on arturasbar failed: Invalid argument
Apr 27 13:03:01 mbp-fedora systemd-homed[4683]: block device /sys/devices/virtual/block/loop0 has been removed.
The fail is here:
Apr 27 13:03:00 mbp-fedora systemd-homework[9346]: Detected attempt for concurrent LUKS2 metadata update. Aborting operation.
How to find what is trying to update LUKS2 metadata ?
I found this, sounds similar to your problem
Try adding this to your create command
--luks-sector-size=4096
That has helped to create my user, but still I cannot activate it. SELinux Troubleshooter app gives this:
Summary
SELinux is preventing systemd-homewor from create access on the user_namespace labeled systemd_homework_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that systemd-homewor should be allowed create access on user_namespace labeled systemd_homework_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:ausearch -c ‘systemd-homewor’ --raw | audit2allow -M my-systemdhomewor
semodule -X 300 -i my-systemdhomewor.pp
And the log file has this:
Summary
09:56:28 gdm-session-wor: gkr-pam: unable to locate daemon control file
09:56:13 systemd-homed: Activation failed: No anode
09:55:45 gdm-session-wor: pam_systemd_home(gdm-password:auth): Failed to acquire home for user arturasbar: Failed to execute operation: Package not installed
09:55:45 systemd-homed: Activation failed: Package not installed
09:55:45 systemd-homewor: Failed to validate disk label: Package not installed
09:55:32 systemd-homed: Activation failed: No anode
09:55:30 gdm-session-wor: gkr-pam: unable to locate daemon control file
09:55:09 systemd-homed: Activation failed: Package not installed
09:55:09 systemd-homewor: Failed to validate disk label: Package not installed
09:55:03 systemd-homed: Activation failed: No anode
Cannot find what’s wrong as per log lines in bold…