Also appeared on RHEL Server release 7.2 Beta (Maipo).
selinux-policy-3.13.1-44.el7.noarch
kernel-3.10.0-306.0.1.el7.x86_64
+++ This bug was initially created as a clone of Bug #1258194 +++
Description of problem:
After updating to 4.1.6-200.fc22.x86_64 iscsi.service will not start and thus no iscsi volume will mount.
SELinux is preventing iscsid from 'read' accesses on the file /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that iscsid should be allowed read access on the modules.dep.bin file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:iscsid_t:s0
Target Context unconfined_u:object_r:modules_dep_t:s0
Target Objects /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep
.bin [ file ]
Source iscsid
Source Path iscsid
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-128.12.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon
Aug 17 19:54:31 UTC 2015 x86_64 x86_64
Alert Count 5
First Seen 2015-08-30 12:38:10 AWST
Last Seen 2015-08-30 15:30:53 AWST
Local ID 0be9475c-165c-4c20-bf91-27ddd8d5675d
Raw Audit Messages
type=AVC msg=audit(1440919853.461:678): avc: denied { read } for pid=1692 comm="iscsid" name="modules.dep.bin" dev="sdc4" ino=397616 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Hash: iscsid,iscsid_t,modules_dep_t,file,read
Version-Release number of selected component:
selinux-policy-3.13.1-128.12.fc22.noarch
Additional info:
reporter: libreport-2.6.2
hashmarkername: setroubleshoot
kernel: 4.1.6-200.fc22.x86_64
type: libreport
--- Additional comment from Daniel Rowe on 2015-08-30 04:01:46 EDT ---
It not the update to the latest kernel as I rebooted into the previous and its still broken.
--- Additional comment from Daniel Rowe on 2015-08-30 04:16:17 EDT ---
This fixes it for me for now:
module iscsi_fix 1.0;
require {
type iscsid_t;
type modules_dep_t;
class file { read getattr open };
}
#============= iscsid_t ==============
allow iscsid_t modules_dep_t:file getattr;
#!!!! This avc is allowed in the current policy
allow iscsid_t modules_dep_t:file { read open };
--- Additional comment from Corey Sheldon on 2015-08-30 07:19:21 EDT ---
Have you tried a selinux relabel. Your comment (comment 2) seems to lend to the selinux tags NOT being natively label properly. What was the previous kernel 4.1.5 or something previous to that ? (Updated from Version / kernel not shown).
--- Additional comment from Daniel Rowe on 2015-08-30 07:27:54 EDT ---
I did a "restorecon -Rv /lib/modules" on the folder and there was no output.
[root@bajor 4.1.6-200.fc22.x86_64]# ls -Z modules.dep.bin
unconfined_u:object_r:modules_dep_t:s0 modules.dep.bin
I'm not sure it was the kernel, I just had a look at the logs and selinux policy was updated could it be an issue with this:
For the dnf.log:
Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.10.fc22 will be upgraded
Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.12.fc22 will be an upgrade
Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.10.fc22 will be upgraded
Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.12.fc22 will be an upgrade
--- Additional comment from Fredy Neeser on 2015-09-14 14:17:35 EDT ---
Same issue here with iscsi initiator (iscsid) no longer working due to SELinux AVCs.
The SELinux AVCs for iscsid started appearing in the Aug./Sept. 2015 time frame. Using the following command I noted that the selinux default security contexts for certain files in /usr/lib/modules were changed recently:
# restorecon -nrv /usr/lib/modules
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
OK ... so I had to fix these labels as follows:
# restorecon -rv /usr/lib/modules
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0
This did the job, because 'restorecon -nrv' no longer generated any output after this:
# restorecon -nrv /usr/lib/modules
--- Additional comment from Fredy Neeser on 2015-09-14 14:27:03 EDT ---
The above did not resolve the AVC denials to iscsid. Symptoms included:
audit[1612]: <audit-1400> avc: denied { read } for pid=1612 comm="iscsid" name="modules.softdep" dev="dm-2" ino=3025080 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
audit[1612]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7ffe04b980a0 a1=80000 a2=7ffe04b980d2 a3=5f3638782e323263 items=0 ppid=1 pid=1612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation)
iscsid[1611]: Could not insert module tcp. Kmod error -38
SELinux suggests the following, along with similar suggestions for other files in /usr/lib/modules:
python[1624]: SELinux is preventing /usr/sbin/iscsid from read access on the file /usr/lib/modules/4.1.3-201.fc22.x86_64/modules.softdep.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that iscsid should be allowed read access on the modules.softdep file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
===> OK, I'll try this next ...
--- Additional comment from Fredy Neeser on 2015-09-14 14:54:16 EDT ---
The selinux suggestions do not explain that one may need multiple iterations to create a local policy module for fixing the AVCs generated by iscsid. After doing a first iteration that allows a certain access, iscsid may do other things that trigger different AVCs ...
So we need to iteratively create/install/test a local policy module 'iscsi-fix' by repeating
# grep iscsid /var/log/audit/audit.log | audit2allow -M iscsi-fix
# semodule -r iscsi-fix
# semodule -i iscsi-fix.pp
% Should probably restart iscsid.service
# systemctl restart iscsid.service
% Retest iscsid ...
until iscsid no longer generates any AVC denials.
This procedure keeps updating two files in the work directory, namely
iscsi-fix.pp
iscsi-fix.te
Note that directly installing (or upgrading) the updated iscsi-fix
did not work, but it was possible to remove and then reinstall the
local policy module.
With the above iterative approach, I ended up with an iscsi-fix.te as shown below (equivalent to the one in Comment 2):
module iscsi-fix 1.0;
require {
type iscsid_t;
type modules_dep_t;
class file { read getattr open };
}
#============= iscsid_t ==============
allow iscsid_t modules_dep_t:file getattr;
#!!!! This avc is allowed in the current policy
allow iscsid_t modules_dep_t:file { read open };
--- Additional comment from Fredy Neeser on 2015-09-14 15:00:43 EDT ---
After applying the steps in Comment 7 and rebooting, the journal no longer shows any of the previous errors:
- SELinux access denials (avc: denied ...) for iscsid
- iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation)
- iscsid[1611]: Could not insert module tcp. Kmod error -38
- setroubleshoot messages for iscsid