Bug 1451139
| Summary: | After installing updates, targetd throws numerous SELinux errors | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Clark Hale <chale> | ||||||
| Component: | targetd | Assignee: | Tony Asleson <tasleson> | ||||||
| Status: | CLOSED EOL | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
| Severity: | unspecified | Docs Contact: | |||||||
| Priority: | unspecified | ||||||||
| Version: | 25 | CC: | agrover, tasleson | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-12-12 10:55:01 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
Created attachment 1279153 [details]
targetd.yaml configuration
Fedora 25 changed to end-of-life (EOL) status on 2017-12-12. Fedora 25 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed. |
Created attachment 1279152 [details] Client program Description of problem: After installing Fedora updates, targetd now fails to provision any target because of SELinux errors. In a base install (only targetd related packages from updates), targetd works as expected. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. dnf update -y 2. dnf update targetd -y 3. Create vg-targetd volume group 4. Configure a targetd.yaml, like attachment 5. Run the attached client script (modified from /usr/share/doc/targetd/client) Actual results: From audit.log: type=AVC msg=audit(1494887475.530:240000): avc: denied { accept } for pid=891 comm="targetd" lport=18700 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:system_r:targetd_t:s0 tclass=tcp_socket permissive=0 Was caused by: The boolean nis_enabled was set incorrectly. Description: Allow nis to enabled Allow access by executing: # setsebool -P nis_enabled 1 After enabling the boolean (which does not seem right): type=AVC msg=audit(1494887572.370:601394): avc: denied { search } for pid=891 comm="targetd" name="/" dev="configfs" ino=11584 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:configfs_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1494887572.370:601395): avc: denied { getattr } for pid=891 comm="targetd" path="/etc/modprobe.d" dev="dm-0" ino=25259817 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1494887572.370:601396): avc: denied { search } for pid=891 comm="targetd" name="modules" dev="dm-0" ino=25331729 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1494887572.370:601397): avc: denied { search } for pid=891 comm="targetd" name="modules" dev="dm-0" ino=25331729 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1494887572.370:601398): avc: denied { search } for pid=891 comm="targetd" name="modules" dev="dm-0" ino=25331729 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. type=AVC msg=audit(1494887572.370:601399): avc: denied { search } for pid=891 comm="targetd" name="modules" dev="dm-0" ino=25331729 scontext=system_u:system_r:targetd_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. Expected results: Targetd provisions a logical volume and adds it to a target Additional info: When SELinux is set to permissive mode, the targetd runs as expected.