Bug 433237

Summary: iscsid needs access to setrlimit (regession with 5.1)
Product: Red Hat Enterprise Linux 5 Reporter: Mike Christie <mchristi>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: 5.2CC: coughlan, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:07:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Christie 2008-02-17 22:55:33 UTC
Description of problem:

The iscsi tools were updated for 5.2, and need a selinux update to go with it.
The iscsi tools need access to setrlimit, but the selinux policy is not setup
for this so you get this:


Feb 17 16:50:34 meanminna setroubleshoot:      SELinux is preventing
/sbin/iscsid (iscsid_t) "setrlimit" access to <Unknown> (iscsid_t).      For
complete SELinux messages. run sealert -l fbdf62e8-a4d0-461e-b4ef-1ad32c7a1cf4


And running sealert gives this:

[root@meanminna ~]# sealert -l fbdf62e8-a4d0-461e-b4ef-1ad32c7a1cf4
Summary
    SELinux is preventing /sbin/iscsid (iscsid_t) "setrlimit" access to
    <Unknown> (iscsid_t).

Detailed Description
    SELinux denied access requested by /sbin/iscsid. It is not expected that
    this access is required by /sbin/iscsid and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "iscsid_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P iscsid_disable_trans=1."

    The following command will allow this access:
    setsebool -P iscsid_disable_trans=1

Additional Information        

Source Context                root:system_r:iscsid_t
Target Context                root:system_r:iscsid_t
Target Objects                None [ process ]
Affected RPM Packages         iscsi-initiator-utils-6.2.0.868-0.3 [application]
Policy RPM                    selinux-policy-2.4.6-104.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   plugins.disable_trans
Host Name                     meanminna
Platform                      Linux meanminna 2.6.18-53.el5PAE #1 SMP Wed Oct 10
                              16:48:18 EDT 2007 i686 athlon
Alert Count                   1
Line Numbers                  

Raw Audit Messages            

avc: denied { setrlimit } for comm="iscsid" egid=0 euid=0 exe="/sbin/iscsid"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3895 scontext=root:system_r:iscsid_t:s0
sgid=0 subj=root:system_r:iscsid_t:s0 suid=0 tclass=process
tcontext=root:system_r:iscsid_t:s0 tty=(none) uid=0


I marked this down as a high, because it is a regession from 5.1.


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 3 Daniel Walsh 2008-02-18 16:50:10 UTC
This is already fixed in the U2 policy

selinux-policy-2.4.6-121.el5

Comment 7 Mike Christie 2008-02-18 20:42:42 UTC
(In reply to comment #3)
> This is already fixed in the U2 policy
> 
> selinux-policy-2.4.6-121.el5

This works for me. Thanks.

Should I just close this bug since it was already fixed?

Comment 10 errata-xmlrpc 2008-05-21 16:07:04 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html