Bug 1267638

Summary: SELinux is preventing iscsid from 'read' accesses on the file /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin.
Product: Red Hat Enterprise Linux 7 Reporter: Filip Hubík <fhubik>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: urgent    
Version: 7.2CC: bart, dominick.grift, dwalsh, extras-qa, fdeutsch, lvrabec, mgrepl, mmalik, nfd, plautrba, pvrabec, sheldon.corey, ssekidde, tkammer
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e7f6d79eaa46b58087c9785611df7f86c6a436a3b2549aeb44dd34f629e5462b
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1258194 Environment:
Last Closed: 2015-10-02 08:39:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1258194    
Bug Blocks:    

Description Filip Hubík 2015-09-30 14:36:08 UTC 
Also appeared on RHEL Server release 7.2 Beta (Maipo).

selinux-policy-3.13.1-44.el7.noarch
kernel-3.10.0-306.0.1.el7.x86_64

+++ This bug was initially created as a clone of Bug #1258194 +++

Description of problem:
After updating to 4.1.6-200.fc22.x86_64 iscsi.service will not start and thus no iscsi volume will mount.
SELinux is preventing iscsid from 'read' accesses on the file /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iscsid should be allowed read access on the modules.dep.bin file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iscsid_t:s0
Target Context                unconfined_u:object_r:modules_dep_t:s0
Target Objects                /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep
                              .bin [ file ]
Source                        iscsid
Source Path                   iscsid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon
                              Aug 17 19:54:31 UTC 2015 x86_64 x86_64
Alert Count                   5
First Seen                    2015-08-30 12:38:10 AWST
Last Seen                     2015-08-30 15:30:53 AWST
Local ID                      0be9475c-165c-4c20-bf91-27ddd8d5675d

Raw Audit Messages
type=AVC msg=audit(1440919853.461:678): avc:  denied  { read } for  pid=1692 comm="iscsid" name="modules.dep.bin" dev="sdc4" ino=397616 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0


Hash: iscsid,iscsid_t,modules_dep_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.1.6-200.fc22.x86_64
type:           libreport

--- Additional comment from Daniel Rowe on 2015-08-30 04:01:46 EDT ---

It not the update to the latest kernel as I rebooted into the previous and its still broken.

--- Additional comment from Daniel Rowe on 2015-08-30 04:16:17 EDT ---

This fixes it for me for now:

module iscsi_fix 1.0;

require {
	type iscsid_t;
	type modules_dep_t;
	class file { read getattr open };
}

#============= iscsid_t ==============
allow iscsid_t modules_dep_t:file getattr;

#!!!! This avc is allowed in the current policy
allow iscsid_t modules_dep_t:file { read open };

--- Additional comment from Corey Sheldon on 2015-08-30 07:19:21 EDT ---

Have you tried a  selinux relabel.  Your  comment (comment 2) seems to lend to the selinux tags NOT being natively  label properly.  What was the  previous  kernel 4.1.5  or  something previous to that ?  (Updated from Version /  kernel not  shown).

--- Additional comment from Daniel Rowe on 2015-08-30 07:27:54 EDT ---

I did a "restorecon -Rv /lib/modules" on the folder and there was no output.

[root@bajor 4.1.6-200.fc22.x86_64]# ls -Z modules.dep.bin
unconfined_u:object_r:modules_dep_t:s0 modules.dep.bin

I'm not sure it was the kernel, I just had a look at the logs and selinux policy was updated could it be an issue with this:

For the dnf.log:

Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.10.fc22 will be upgraded
Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.12.fc22 will be an upgrade
Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.10.fc22 will be upgraded
Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.12.fc22 will be an upgrade

--- Additional comment from Fredy Neeser on 2015-09-14 14:17:35 EDT ---

Same issue here with iscsi initiator (iscsid) no longer working due to SELinux AVCs.

The SELinux AVCs for iscsid started appearing in the Aug./Sept. 2015 time frame.  Using the following command I noted that the selinux default security contexts for certain files in /usr/lib/modules were changed recently:

# restorecon -nrv /usr/lib/modules
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0

OK ... so I had to fix these labels as follows:

# restorecon -rv /usr/lib/modules
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0

This did the job, because 'restorecon -nrv' no longer generated any output after this:
# restorecon -nrv /usr/lib/modules

--- Additional comment from Fredy Neeser on 2015-09-14 14:27:03 EDT ---

The above did not resolve the AVC denials to iscsid.  Symptoms included:

audit[1612]: <audit-1400> avc:  denied  { read } for  pid=1612 comm="iscsid" name="modules.softdep" dev="dm-2" ino=3025080 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0

audit[1612]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7ffe04b980a0 a1=80000 a2=7ffe04b980d2 a3=5f3638782e323263 items=0 ppid=1 pid=1612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
  
iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation)

iscsid[1611]: Could not insert module tcp. Kmod error -38


SELinux suggests the following, along with similar suggestions for other files in /usr/lib/modules:

python[1624]: SELinux is preventing /usr/sbin/iscsid from read access on the file /usr/lib/modules/4.1.3-201.fc22.x86_64/modules.softdep.
                                                    
                                                    *****  Plugin catchall (100. confidence) suggests   **************************
                                                    
                                                    If you believe that iscsid should be allowed read access on the modules.softdep file by default.
                                                    Then you should report this as a bug.
                                                    You can generate a local policy module to allow this access.
                                                    Do
                                                    allow this access for now by executing:
                                                    # grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
                                                    # semodule -i mypol.pp


===> OK, I'll try this next ...

--- Additional comment from Fredy Neeser on 2015-09-14 14:54:16 EDT ---

The selinux suggestions do not explain that one may need multiple iterations to create a local policy module for fixing the AVCs generated by iscsid.  After doing a first iteration that allows a certain access, iscsid may do other things that trigger different AVCs ...

So we need to iteratively create/install/test a local policy module 'iscsi-fix' by repeating

  # grep iscsid /var/log/audit/audit.log | audit2allow -M iscsi-fix  
  # semodule -r iscsi-fix
  # semodule -i iscsi-fix.pp
  
  % Should probably restart iscsid.service
  # systemctl restart iscsid.service
  % Retest iscsid ... 
  
until iscsid no longer generates any AVC denials.  

This procedure keeps updating two files in the work directory, namely
  iscsi-fix.pp
  iscsi-fix.te

Note that directly installing (or upgrading) the updated iscsi-fix
did not work, but it was possible to remove and then reinstall the
local policy module.

With the above iterative approach, I ended up with an iscsi-fix.te as shown below (equivalent to the one in Comment 2):

module iscsi-fix 1.0;

require {
	type iscsid_t;
	type modules_dep_t;
	class file { read getattr open };
}

#============= iscsid_t ==============
allow iscsid_t modules_dep_t:file getattr;

#!!!! This avc is allowed in the current policy
allow iscsid_t modules_dep_t:file { read open };

--- Additional comment from Fredy Neeser on 2015-09-14 15:00:43 EDT ---

After applying the steps in Comment 7 and rebooting, the journal no longer shows any of the previous errors:

- SELinux access denials (avc: denied ...) for iscsid
- iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation)
- iscsid[1611]: Could not insert module tcp. Kmod error -38
- setroubleshoot messages for iscsid
Comment 2 Milos Malik 2015-09-30 14:47:06 UTC 
I believe this bug is a duplicate of BZ#1266928.
Comment 3 Miroslav Grepl 2015-10-02 08:39:43 UTC 

*** This bug has been marked as a duplicate of bug 1266928 ***