Bug 209854
| Summary: | selinux policy tweaks for iscsi | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jeremy Katz <katzj> | ||||||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Ben Levenson <benl> | ||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | rawhide | CC: | dwalsh, james.antill, mchristi, sgrubb | ||||||||
| Target Milestone: | --- | ||||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2006-10-12 16:02:29 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Bug Depends On: | |||||||||||
| Bug Blocks: | 150224 | ||||||||||
| Attachments: |
|
||||||||||
|
Description
Jeremy Katz
2006-10-06 22:28:06 UTC
Can you send me a link to some good selinux docs? I think I have been stuck on some selinux iscsi policy bug. Do I need to write something about what files iscsid or /etc/init.d/iscsi accesses? If I run without selinx it works but with selinux I get weird errors where the app cannot read files or access dirs. boot the machine with enforcing=0 and then collect the avc messages that are generated in /var/log/messages or /var/log/audit/audit.log Attach them here and I will update the policy. You can look at http://fedoraproject.org/wiki/SELinux for lots of info on SELinux Jeremy which port is iscsid trying to connect to? (Adding jantill to the cc list since dwalsh is in New Orleans this week, IIRC)
The default port to connect to is 3260 -- conceivably, there could be others but
I think that falls into the category of "you need to tweak policy yourself"
More full and annotated set of things being needed when it's not 6 pm on Friday...
allow iscsid_t self:capability dac_override;
Hrmm, not sure what this is actually for
allow iscsid_t self:netlink_route_socket { bind create getattr nlmsg_read read
write };
allow iscsid_t self:netlink_socket { read write };
Tool<->kernel communication; definitely needed
allow iscsid_t self:unix_stream_socket connectto;
Tool<->userspace daemon connection
allow iscsid_t port_t:tcp_socket name_connect;
Connecting to remote iscsi target on port 3260
allow iscsid_t var_lib_t:dir search;
allow iscsid_t var_lib_t:file { getattr read };
Uses /var/lib/iscsi for lots of state storage
allow iscsid_t var_lock_t:dir { add_name remove_name search write };
allow iscsid_t var_lock_t:file { create link unlink };
Lockfile in /var/lock/iscsi.
Created attachment 138191 [details]
Test fix for iscsi AVC issues
I think this should do it. I'll upload srpms soon.
Created attachment 138193 [details] Better fix for iscsi selinux policy Better fix (actually compiles now :). RPMS are at: http://people.redhat.com/jantill/sel-policy 1:selinux-policy-targeted########################################### [100%] audit(1160516835.092:34): policy loaded auid=4294967295 libsepol.context_from_record: type iscsi_var_lock_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:iscsi_var_lock_t:s0 to sid /etc/selinux/targeted/contexts/files/file_contexts: line 714 has invalid context system_u:object_r:iscsi_var_lock_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. audit(1160516839.316:35): policy loaded auid=4294967295 semodule: Failed! Created attachment 138200 [details]
iscsi fix with correct .fc types .
Damn. I forgot to change that to iscsi_lock_t for the .fc file.
Still missing these two... let's get htem in and build into dist-fc6-HEAD allow iscsid_t self:capability dac_override; allow iscsid_t port_t:tcp_socket name_connect; Built and tested. looks good, thanks! |