| Summary: | selinux: does not allow connection to tgtd when using iSNS | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Bruno Goncalves <bgoncalv> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | bgoncalv, dwalsh, mmalik |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-214.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 10:50:23 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
this rule seems to solve the problem.
cat tgtd_isns.te
module tgtd_isns 1.0;
require {
type tgtd_t;
type isns_port_t;
class tcp_socket name_connect;
}
#============= tgtd_t ==============
allow tgtd_t isns_port_t:tcp_socket name_connect;
Any other ports it should be allowed to connect to ? 45c585c5b76bdd00d11b7beaf2ef31985b548526 fixes this in git I believe this is the only port, unless the user decides to use a port that is not the default one... We only care about defaults. Verified with selinux-policy-3.7.19-214.el6.noarch iscsiadm -m discoverydb -t isns -p 127.0.0.1 --discover Starting iscsid: [ OK ] [ OK ] 127.0.0.1:3260,1 iqn.2009-10.com.redhat:storage-1 iscsiadm -m node -l Logging in to [iface: isns_iface, target: iqn.2009-10.com.redhat:storage-1, portal: 127.0.0.1,3260] (multiple) Login to [iface: isns_iface, target: iqn.2009-10.com.redhat:storage-1, portal: 127.0.0.1,3260] successful. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Description of problem: Fail to discovery iSNS target from a server running tgtd and iSNSd ---- time->Fri Aug 30 15:42:23 2013 type=SYSCALL msg=audit(1377891743.032:23): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=649a60 a2=80 a3=7ffff5ef0590 items=0 ppid=1 pid=13018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1377891743.032:23): avc: denied { name_connect } for pid=13018 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket ---- time->Fri Aug 30 15:42:34 2013 type=SYSCALL msg=audit(1377891754.851:25): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=649a60 a2=80 a3=538 items=0 ppid=1 pid=13585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1377891754.851:25): avc: denied { name_connect } for pid=13585 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket ---- time->Fri Aug 30 15:42:34 2013 type=SYSCALL msg=audit(1377891754.833:24): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=649a60 a2=80 a3=7fffd5bcb820 items=0 ppid=1 pid=13585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1377891754.833:24): avc: denied { name_connect } for pid=13585 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket ---- Version-Release number of selected component (if applicable): selinux-policy-3.7.19-212.el6.noarch How reproducible: 100% Steps to Reproduce: 1.Create a tgtd target with 1 target and 1 lun 2.Configure it to use a local isnsd service add to targets.conf iSNSServerIP 127.0.0.1 iSNSServerPort 3205 iSNS On 3.iscsiadm -m discoverydb -t isns -p 127.0.0.1 --discover iscsiadm: No portals found Actual results: Fails to find target, disabling selinux works. Expected results: Target should be discovered Additional info: