Bug 1702580

Summary: SELinux denies iscsid { read } for modules.dep.bin and modules.softdep
Product: Red Hat Enterprise Linux 8 Reporter: Matej Marušák <mmarusak>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.1CC: dwalsh, extras-qa, kkoukiou, lvrabec, mmalik, plautrba, ssekidde, zpytela
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.1   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1700245 Environment:
Last Closed: 2019-11-05 22:11:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1673107, 1700245    
Bug Blocks:    

Description Matej Marušák 2019-04-24 07:37:43 UTC 
+++ This bug was initially created as a clone of Bug #1700245 +++
!!! This ended-up in rhel-8-1 as well, so I cloned this to have a tracker !!!

Description of problem: A recent (Apr 15) update on Fedora 30 broke cockpit's tests for iscsi libvirt storage pools. We are trying to create a libvirt ISCSI pool, but it fails with ISCSI driver not found because SElinux is blocking loading of iscsi_tcp module.

Version-Release number of selected component (if applicable):

kernel-5.0.7-300.fc30.x86_64
selinux-policy-3.14.3-29.fc30.noarch
iscsi-initiator-utils-6.2.0.876-8.gitf3c8e90.fc30.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Prepare the iSCSI target

targetcli /backstores/ramdisk create test 50M
targetcli /iscsi create iqn.2019-09.cockpit.lan
targetcli /iscsi/iqn.2019-09.cockpit.lan/tpg1/luns create /backstores/ramdisk/test
targetcli /iscsi/iqn.2019-09.cockpit.lan/tpg1/acls create $MY_INITIATOR_NAME

Where MY_INITIATOR_NAME can be fetched with the following command

sed </etc/iscsi/initiatorname.iscsi -e 's/^.*=//'

2. Create a libvirt iscsi pool with the following XML, virsh pool-define path-to-xml-file

<pool type='iscsi'>
  <name>my_iscsi_pool</name>
  <uuid>80bf2c9b-c7bc-4c6c-a0ef-3a40fe0ad565</uuid>
  <capacity unit='bytes'>52428800</capacity>
  <allocation unit='bytes'>52428800</allocation>
  <available unit='bytes'>0</available>
  <source>
    <host name='127.0.0.1' port='3260'/>
    <device path='iqn.2019-09.cockpit.lan'/>
  </source>
  <target>
    <path>/dev/disk/by-path</path>
  </target>
</pool>


3. Try to start the storage pool with virsh pool-start my_iscsi_pool

Actual results:
These are the logs from journal:

Apr 16 03:11:28 localhost.localdomain systemd[1]: Starting Open-iSCSI...
Apr 16 03:11:28 localhost.localdomain iscsid[13280]: iSCSI logger with pid=13281 started!
Apr 16 03:11:28 localhost.localdomain systemd[1]: iscsid.service: Failed to parse PID from file /run/iscsid.pid: Invalid argument
Apr 16 03:11:28 localhost.localdomain iscsid[13281]: iSCSI daemon with pid=13282 started!
Apr 16 03:11:28 localhost.localdomain kernel: Loading iSCSI transport class v2.0-870.
Apr 16 03:11:28 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=iscsid comm="systemd" ex>
Apr 16 03:11:28 localhost.localdomain systemd[1]: Started Open-iSCSI.
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1130 audit(1555398688.952:496): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='u>
Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.softdep" dev="dm-0" ino=8480266 scontext=system_u:>
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.971:497): avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.softdep" dev="dm>
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:498): avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm>
Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:>
Apr 16 03:11:28 localhost.localdomain libvirtd[1975]: internal error: Child process (iscsiadm --mode node --portal 127.0.0.1:3260,1 --targetname iqn.2019-09.cockpit.lan --l>
                                                      iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operatio>
                                                      iscsiadm: Could not log into all portals
Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.builtin.bin" dev="dm-0" ino=8480269 scontext=syste>
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:499): avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.builtin.bin" dev>
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:500): avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm>
Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:>
Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:501): avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm>
Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc:  denied  { read } for  pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:>
Apr 16 03:11:29 localhost.localdomain iscsid[13281]: Could not insert module tcp. Kmod error -2


Expected results:
iscsi_tcp module should be allows to get loaded by iscsid


Additional info:

--- Additional comment from Lukas Vrabec on 2019-04-18 11:44:38 UTC ---

commit ffe9e775edf5a68f80bbbde595a9eba4af156e8f (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Thu Apr 18 13:44:19 2019 +0200

    Allow iscsid_t to read modules deps BZ(1700245)

--- Additional comment from Fedora Update System on 2019-04-19 21:58:38 UTC ---

selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6

--- Additional comment from Fedora Update System on 2019-04-20 14:42:17 UTC ---

selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
Comment 4 errata-xmlrpc 2019-11-05 22:11:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3547