Bug 1069355
Summary: | selinux preventing targetd plugin from opening a tcp socket | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Andy Grover <agrover> | ||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl, tasleson | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | selinux-policy-3.12.1-127.fc20 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1069842 (view as bug list) | Environment: | |||||
Last Closed: | 2014-03-12 12:16:37 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1069842 | ||||||
Attachments: |
|
Description
Andy Grover
2014-02-24 19:56:59 UTC
Could you run this in permissive mode to catch more avcs semanage permissive -a lsmd_plugin_t Created attachment 867155 [details]
Requested information
Do you know what is listening at tcp port 18700? (In reply to Daniel Walsh from comment #3) > Do you know what is listening at tcp port 18700? In this specific case the libStorageMgmt targetd plug-in (/usr/bin/targetd_lsmplugin) is connecting to a remote system which is running the targetd storage daemon. The port number can be configured by end users, so that may change. Some background which may help with creating policy. The daemon lsmd execs the plug-in. The plug-in needs network access and all that entails to connect to the external storage arrays over the network. The current targeted selinux policy allows the plug-in to create a socket if it is executed via the command line, but rejects it when executed via lsmd. Please note that plug-ins can be written in C or python at this time and will connect to a number of different listening ports, each of which is modifiable by the end user. Is that the default port (In reply to Daniel Walsh from comment #5) > Is that the default port For targetd plug-in yes. For other plugins, default ports: libstoragemgmt-ontap-plugin (80/443) libstoragemgmt-smis-plugin (5988/5989) libstoragemgmt-nstor-plugin (80/443) libstoragemgmt-ibm-v7k-plugin (22) But like I stated, the user can change. I believe we want to add a boolean for lsmd plugins. commit 4c57934448663d99368d0e1616c6f0c4849ed550 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 25 15:16:49 2014 +0100 Add lsmd_plugin_connect_any boolean Also added commit 7ac723de65080bbbc0f2b125844fc2f46b50e764 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 25 15:19:00 2014 +0100 Allow lsmd plugins to connect to http/ssh/http_caccommit selinux-policy-3.12.1-127.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback). selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |