Bug 738239
Summary: | SELinux is preventing /usr/sbin/tgtd "search" access to /. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Omkar <omkarlagu> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.0 | CC: | dwalsh, omkarlagu |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2011-09-15 13:45:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Omkar
2011-09-14 11:46:30 UTC
Also if you move the Lun "Lun2" to / . While adding the LUN it gives the below message <snip> -------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/sbin/tgtd "write" access on lun2. Detailed Description: SELinux denied access requested by tgtd. It is not expected that this access is required by tgtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:tgtd_t:s0 Target Context unconfined_u:object_r:etc_runtime_t:s0 Target Objects lun2 [ file ] Source tgtd Source Path /usr/sbin/tgtd Port <Unknown> Host <Unknown> Source RPM Packages scsi-target-utils-1.0.4-3.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name punb200m2labs02vm6 Platform Linux punb200m2labs02vm6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010 x86_64 x86_64 Alert Count 6 First Seen Wed Sep 14 21:35:01 2011 Last Seen Wed Sep 14 21:46:52 2011 Local ID c73075b3-ff17-4169-bf17-b1c3ba043b56 Line Numbers 21247, 21248, 21249, 21250, 21263, 21264, 21265, 21266, 21273, 21274, 21335, 21336 Raw Audit Messages type=AVC msg=audit(1316017012.340:10906): avc: denied { write } for pid=6851 comm="tgtd" name="lun2" dev=sda1 ino=24227 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1316017012.340:10906): arch=c000003e syscall=2 success=no exit=-13 a0=d33010 a1=2 a2=7fff209bce70 a3=6 items=0 ppid=1 pid=6851 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) -------------------------------------------------------------------------------- </snip> So then I moved lun2 inside /lundir, to which it gives the below message <snip> Summary: SELinux is preventing /usr/sbin/tgtd "search" access on lundir. Detailed Description: SELinux denied access requested by tgtd. It is not expected that this access is required by tgtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:tgtd_t:s0 Target Context unconfined_u:object_r:default_t:s0 Target Objects lundir [ dir ] Source tgtd Source Path /usr/sbin/tgtd Port <Unknown> Host <Unknown> Source RPM Packages scsi-target-utils-1.0.4-3.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name punb200m2labs02vm6 Platform Linux punb200m2labs02vm6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010 x86_64 x86_64 Alert Count 5 First Seen Wed Sep 14 21:52:42 2011 Last Seen Wed Sep 14 21:52:46 2011 Local ID 62f7ef70-cbbc-4e73-920f-7216d892d6dd Line Numbers 21379, 21380, 21381, 21382, 21383, 21384, 21385, 21386, 21387, 21388 Raw Audit Messages type=AVC msg=audit(1316017366.542:10952): avc: denied { search } for pid=6851 comm="tgtd" name="lundir" dev=sda1 ino=807154 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=SYSCALL msg=audit(1316017366.542:10952): arch=c000003e syscall=2 success=no exit=-13 a0=d33750 a1=2 a2=7fff209bce70 a3=d items=0 ppid=1 pid=6851 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) </snip> To conclude Lun does not get added if it is on a propitiatory Filesystem or Ext3 Filesystem To conclude Lun does not get added if it is on a proprietary Filesystem or Ext3 Filesystem /lundir or /lun2 is not a standard directory, so you need to label it with something tgtd_t can access. If this is a directory that tgtd_t has full control over, label it tgtd_var_lib_t # chcon -R -t tgtd_var_lib_t PATHTO/lundir # chcon -R -t tgtd_var_lib_t PATHTO/lun2 try this labeling. Since this is local customization, I am closing this as notabug. |