Bug 1482382

Summary: tgtd.service start failure and avc: denied { create } failure
Product: [Fedora] Fedora Reporter: Michel Normand <normand>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: agrover, dwalsh, lsm5, lvrabec, mchristi, mgrepl, plautrba, pmoore, swehack, terje.rosten
Target Milestone: ---   
Target Release: ---   
Hardware: powerpc   
OS: Other   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-09-06 09:12:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1071880    
Attachments:
Description Flags
audit.log
none
journal.log
none
Workaround for tgtd avc denial issue none

Description Michel Normand 2017-08-17 06:47:34 UTC 
Created attachment 1314546 [details]
audit.log

openQA test "support-server" is failing for Rawhide (FC27) for ppc64le arch

The reported failure message is not very helpfull
===
$systemctl restart tgtd.service
Job for tgtd.service failed because the control process exited with error code.
See "systemctl status tgtd.service" and "journalctl -xe" for details
===

I do not know if the cause of the tgtd start failure is the captured avc error
as reported by grep output:
===
$grep -Hnr tgtd ./
Binary file ./var/log/journal/8c561ef33348404ca50122b47f1f4d79/system.journal matches
./var/log/audit/audit.log:137:type=AVC msg=audit(1502889862.910:213): avc:  denied  { create } for  pid=1168 comm="tgtd" name="tgtd" scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
./var/log/audit/audit.log:138:type=SERVICE_START msg=audit(1502889867.916:214): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tgtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
===
$sudo journalctl -u tgtd --directory var/log/journal/8c561ef33348404ca50122b47f1f4d79/
-- Logs begin at Wed 2017-08-16 09:21:40 EDT, end at Wed 2017-08-16 09:24:49 EDT. --
Aug 16 09:24:22 support.domain.local systemd[1]: Starting tgtd iSCSI target daemon...
Aug 16 09:24:22 support.domain.local tgtd[1168]: (null): ipc_init(781) failed to open lock file for management IPC
Aug 16 09:24:22 support.domain.local systemd[1]: tgtd.service: Main process exited, code=exited, status=1/FAILURE
Aug 16 09:24:27 support.domain.local tgtadm[1170]: tgtadm: failed to send request hdr to tgt daemon, Transport endpoint is not connected
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Control process exited, code=exited status=107
Aug 16 09:24:27 support.domain.local systemd[1]: Failed to start tgtd iSCSI target daemon.
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Unit entered failed state.
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Failed with result 'exit-code'.
===
Comment 1 Michel Normand 2017-08-17 06:54:52 UTC 
Created attachment 1314548 [details]
journal.log

tgtd service from scsi-target-utils-1.0.70-2.fc26.ppc64le package.
Comment 2 Michel Normand 2017-09-06 09:12:42 UTC 
no more failure with last compose 20170903.
Comment 3 Stefan Midjich 2018-01-14 10:11:16 UTC 
Created attachment 1380941 [details]
Workaround for tgtd avc denial issue

I ran into this issue on F26 after patching and there seems to be no fix available from dnf.

So in case anyone else wants this resolved immediately here is how I did it, with the help of grift in #fedora irc channel on freenode network.

1. Download the file tgtd_bug1482382.cil
2. Run sudo semodule -i tgtd_bug1482382.cil
3. Restart tgtd service