Bug 574229

Summary: scsi-target-utils and selinux-policy-targeted don't play nice together
Product: [Fedora] Fedora Reporter: Hans de Goede <hdegoede>
Component: selinux-policy-targetedAssignee: Eric Paris <eparis>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.15-4.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-25 22:30:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Hans de Goede 2010-03-16 21:49:04 UTC 
Hi,

I'm using scsi-target-utils to export 2 logical volumes:
/dev/BigVol2/lv_iscsi_disk1
/dev/BigVol2/lv_iscsi_disk2

As iscsi targets for iscsi testing. Recently (I think) this stopped working
and as soon as a "client" tries to connect to the iscsi targets setroubleshoot and auditd go crazy and start a light weight DOS attack on my machine.

audit.log is full of:
type=AVC msg=audit(1268775672.718:1577922): avc:  denied  { read } for  pid=1262 comm="tgtd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=4023 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1268775672.718:1577922): arch=c000003e syscall=0 success=no exit=-13 a0=9 a1=7fffe8e4d560 a2=800 a3=7d0 items=0 ppid=1 pid=1262 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=system_u:system_r:tgtd_t:s0 key=(null)

The [signalfd] strikes me as a bit weird here, /dev/BigVol2/lv_iscsi_disk1
is a symlink to /dev/dm-5:
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/BigVol2/lv_iscsi_disk1 -> ../dm-5

which itself is:
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5


p.s.

It would be good to fix this for RHEL-6 too (assuming it is relevant there too).
Comment 1 Daniel Walsh 2010-03-17 12:29:28 UTC 
THis is a kernel issue that should be fixed in the next kernel release.  I can't find the bugzilla to dup this on.  Eric, do you know it off hand?
Comment 2 Eric Paris 2010-03-17 13:37:19 UTC 
Dan, if this is for F13 we might not pick up a kernel fix for a long time (2.6.34-rc2 is the first fixed kernel)   I thought we agreed to just allow anon_inodefs in RHEL6 and F13 but not push it upstream or bother with it in F14
Comment 3 Daniel Walsh 2010-03-23 13:36:38 UTC 
Fixed in selinux-policy-3.7.15-4.fc13.noarch
Comment 4 Fedora Update System 2010-03-23 13:43:50 UTC 
selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Comment 5 Fedora Update System 2010-03-24 00:47:44 UTC 
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Comment 6 Fedora Update System 2010-03-25 22:29:26 UTC 
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.