Bug 737527
Summary: | SELinux is preventing /usr/sbin/tgtd "unlink" access on .TGT_IPC_ABSTRACT_NAMESPACE.0. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Omkar <omkarlagu> |
Component: | scsi-target-utils | Assignee: | Andy Grover <agrover> |
Status: | CLOSED NOTABUG | QA Contact: | Red Hat Kernel QE team <kernel-qe> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0 | CC: | dwalsh, mmalik, omkarlagu |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-13 14:15:49 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Omkar
2011-09-12 12:43:48 UTC
Do you know what created .TGT_IPC_ABSTRACT_NAMESPACE.0 and where it is located? I believe the sock_file is mislabelled and should be located somewhere under /var/run. Here is a similar bug: https://bugzilla.redhat.com/show_bug.cgi?id=698144 Looks like tgtd is creating the file in "/tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0" </snip> [root@punb200m2labs04vm5 bin]# /etc/init.d/tgtd status tgtd is stopped [root@punb200m2labs04vm5 bin]# ls -l /tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0 ls: cannot access /tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0: No such file or directory [root@punb200m2labs04vm5 bin]# date Tue Sep 13 22:57:57 IST 2011 [root@punb200m2labs04vm5 bin]# /etc/init.d/tgtd start Starting SCSI target daemon: [ OK ] [root@punb200m2labs04vm5 bin]# ls -l /tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0 srwxr-xr-x. 1 root root 0 Sep 13 22:58 /tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0 </snip> But interestingly I am not hitting the issue. After removing the file and rebooting the server and again starting /etc/init.d/tgtd start. I tried one more reboot and start of tgtd, Still cannot hit the issue. Yes, if the sock file is created by tgtd it should work because of manage_sock_files_pattern(tgtd_t, tgtd_tmp_t, tgtd_tmp_t) files_tmp_filetrans(tgtd_t, tgtd_tmp_t, sock_file) rules. Hi miroslav, What was reason I hit that before. Wasn`t "/tmp/.TGT_IPC_ABSTRACT_NAMESPACE.0" created with tgtd earlier when I hit the issue. thanks and regards, Omkar Lagu Examining the policy I see sesearch -T -s initrc_t -t tmp_t Found 2 semantic te rules: type_transition initrc_t tmp_t : file initrc_tmp_t; type_transition initrc_t tmp_t : dir initrc_tmp_t; Which means if a process labeled initrc_t created a sock_file in /tmp it would get the default label of tmp_t. Miroslav please add files_tmp_filetrans(initrc_t, initrc_tmp_t, { dir_file_class_set }) To the same block of code in init.te that contains unconfined_domain(initrc_t) so that we would at least get a clue on what process created the tmp_t socket. I just checked this into F16. Omkar It looks like at least once the transition to tgtd_t did not happen and the sock_file was created when the tgtd was running as initrc_t, please delete the socket and if it happens again, please reopen this bug. |