Bug 634084
Summary: | Start of tgtd service emits AVC denials | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Eduard Benes <ebenes> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 6.0 | CC: | agrover, mchristi, mgrepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-05-19 11:55:04 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 629274 | ||
Bug Blocks: |
Description
Eduard Benes
2010-09-15 07:39:48 UTC
Miroslav I think we should just add dev_search_sysfs(tgtd_t) Not sure if it is actually going to read something in there. Eduard can you make tgtd_t permissive and see if it tries to read sysfs_t semanage permissive -a tgtd_t I was testing iscsid service and completely forgot to stop tgtd service. Following AVC appeared: ---- time->Wed Sep 15 08:45:45 2010 type=SYSCALL msg=audit(1284554745.235:42148): arch=c000003e syscall=66 success=no exit=-13 a0=40002 a1=0 a2=0 a3=1 items=0 ppid=1 pid=10583 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=153 comm="iscsid" exe="/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null) type=AVC msg=audit(1284554745.235:42148): avc: denied { destroy } for pid=10583 comm="iscsid" key=167 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=sem ---- Dan, I think we should add tgtd_manage_semaphores() interface. We have iscsi_manage_semaphores(tgtd_t) Fixed in selinux-policy-3.7.19-55.el6.noarch. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0526.html |