Bug 1021566
| Summary: | iser: selinux does not allow login to the session | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Bruno Goncalves <bgoncalv> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.5 | CC: | bgoncalv, dwalsh, mmalik, tlavigne |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-227.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 10:53:15 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi Bruno, are there other AVCs when you run the reproducer in permissive mode? With selinux in permissive, it seems to have the same message, but it allows session login.
type=SYSCALL msg=audit(1382436902.376:18): arch=c000003e syscall=29 success=no exit=-12 a0=0 a1=40000000 a2=b80 a3=18 items=0 ppid=1 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382436902.376:18): avc: denied { ipc_lock } for pid=3197 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
a6969185e9e61786551f4322387ff1a5276f7da0 fixes this in git. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |
Description of problem: Trying to login to iSCSI session using iSER driver fails. type=SYSCALL msg=audit(1382360859.900:20): arch=c000003e syscall=1 success=no exit=-12 a0=4 a1=7fffb76f8890 a2=30 a3=30 items=0 ppid=1 pid=3246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1382360859.900:20): avc: denied { ipc_lock } for pid=3246 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability type=AVC msg=audit(1382360859.900:20): avc: denied { ipc_lock } for pid=3246 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-3.7.19-224.el6.noarch How reproducible: 100% Steps to Reproduce: 1.Configure an iSCSI target cat /etc/tgt/targets.conf default-driver iser <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /var/lib/tgtd/loop-disk-1-1> scsi_sn 6976011 scsi_id 6976011 lun 1 bs-type rdwr device-type disk </backing-store> </target> service tgtd start 2.On Initiator discover target using iser interface. iscsiadm -m discovery -I iser -p 192.168.0.4 -t st Starting iscsid: [ OK ] [ OK ] 192.168.0.4:3260,1 iqn.2009-10.com.redhat:storage-1 3.Try to login to session iscsiadm -m node -l iscsiadm: Could not login to [iface: iser, target: iqn.2009-10.com.redhat:storage-1, portal: 192.168.0.4,3260]. iscsiadm: initiator reported error (8 - connection timed out) iscsiadm: Could not log into all portals