Bug 634084

Summary: Start of tgtd service emits AVC denials
Product: Red Hat Enterprise Linux 6 Reporter: Eduard Benes <ebenes>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 6.0CC: agrover, mchristi, mgrepl, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:55:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 629274    
Bug Blocks:    

Description Eduard Benes 2010-09-15 07:39:48 UTC 
Description of problem:
Start of tgtd service emits AVC denials. This might be also bug in tgtd initscript abusing directory search. If so, please change the bz component.

Version-Release number of selected component (if applicable):
scsi-target-utils-1.0.4-3.el6.x86_64
selinux-policy-3.7.19-54.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. # service tgtd restart
2. or # chkconfig tgtd on ; reboot
3. check logs with ausearch
  
Actual results:
AVC denials in system logs

Expected results:
No AVC denials in system logs

Additional info:
[root@localhost ~]# service tgtd restart
Stopping SCSI target daemon:                               [  OK  ]
Starting SCSI target daemon:                               [  OK  ]
[root@localhost ~]# ausearch -m avc -ts 3:27
----
time->Wed Sep 15 03:28:46 2010
type=SYSCALL msg=audit(1284535726.703:88): arch=c000003e syscall=2 success=no exit=-13 a0=1b774b0 a1=0 a2=0 a3=7fffd10ea140 items=0 ppid=5909 pid=5910 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1284535726.703:88): avc:  denied  { search } for  pid=5910 comm="tgtd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Wed Sep 15 03:28:46 2010
type=SYSCALL msg=audit(1284535726.705:89): arch=c000003e syscall=2 success=no exit=-13 a0=1b774b0 a1=0 a2=0 a3=765f6962612f616d items=0 ppid=5909 pid=5910 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1284535726.705:89): avc:  denied  { search } for  pid=5910 comm="tgtd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
----
time->Wed Sep 15 03:28:46 2010
type=SYSCALL msg=audit(1284535726.705:90): arch=c000003e syscall=2 success=no exit=-13 a0=1b774b0 a1=0 a2=0 a3=5f6962612f736272 items=0 ppid=5909 pid=5910 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1284535726.705:90): avc:  denied  { search } for  pid=5910 comm="tgtd" name="/" dev=sysfs ino=1 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir
[root@localhost ~]# ausearch -m avc -ts 3:27 | audit2allow


#============= tgtd_t ==============
allow tgtd_t sysfs_t:dir search;
Comment 1 Daniel Walsh 2010-09-15 12:27:09 UTC 
Miroslav I think we should just add

dev_search_sysfs(tgtd_t)

Not sure if it is actually going to read something in there.

Eduard can you make tgtd_t permissive and see if it tries to read sysfs_t

semanage permissive -a tgtd_t
Comment 2 Milos Malik 2010-09-15 12:52:12 UTC 
I was testing iscsid service and completely forgot to stop tgtd service. Following AVC appeared:

----
time->Wed Sep 15 08:45:45 2010
type=SYSCALL msg=audit(1284554745.235:42148): arch=c000003e syscall=66 success=no exit=-13 a0=40002 a1=0 a2=0 a3=1 items=0 ppid=1 pid=10583 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=153 comm="iscsid" exe="/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1284554745.235:42148): avc:  denied  { destroy } for  pid=10583 comm="iscsid" key=167  scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=sem
----
Comment 3 Miroslav Grepl 2010-09-15 13:26:04 UTC 
Dan, 
I think we should add

tgtd_manage_semaphores() interface. 

We have

iscsi_manage_semaphores(tgtd_t)
Comment 4 Miroslav Grepl 2010-09-16 15:57:57 UTC 
Fixed in selinux-policy-3.7.19-55.el6.noarch.
Comment 11 errata-xmlrpc 2011-05-19 11:55:04 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0526.html