Bug 738239
| Summary: | SELinux is preventing /usr/sbin/tgtd "search" access to /. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Omkar <omkarlagu> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.0 | CC: | dwalsh, omkarlagu |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-09-15 13:45:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Also if you move the Lun "Lun2" to / . While adding the LUN it gives the below message <snip> -------------------------------------------------------------------------------- Summary: SELinux is preventing /usr/sbin/tgtd "write" access on lun2. Detailed Description: SELinux denied access requested by tgtd. It is not expected that this access is required by tgtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:tgtd_t:s0 Target Context unconfined_u:object_r:etc_runtime_t:s0 Target Objects lun2 [ file ] Source tgtd Source Path /usr/sbin/tgtd Port <Unknown> Host <Unknown> Source RPM Packages scsi-target-utils-1.0.4-3.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name punb200m2labs02vm6 Platform Linux punb200m2labs02vm6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010 x86_64 x86_64 Alert Count 6 First Seen Wed Sep 14 21:35:01 2011 Last Seen Wed Sep 14 21:46:52 2011 Local ID c73075b3-ff17-4169-bf17-b1c3ba043b56 Line Numbers 21247, 21248, 21249, 21250, 21263, 21264, 21265, 21266, 21273, 21274, 21335, 21336 Raw Audit Messages type=AVC msg=audit(1316017012.340:10906): avc: denied { write } for pid=6851 comm="tgtd" name="lun2" dev=sda1 ino=24227 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file type=SYSCALL msg=audit(1316017012.340:10906): arch=c000003e syscall=2 success=no exit=-13 a0=d33010 a1=2 a2=7fff209bce70 a3=6 items=0 ppid=1 pid=6851 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) -------------------------------------------------------------------------------- </snip> So then I moved lun2 inside /lundir, to which it gives the below message <snip> Summary: SELinux is preventing /usr/sbin/tgtd "search" access on lundir. Detailed Description: SELinux denied access requested by tgtd. It is not expected that this access is required by tgtd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:tgtd_t:s0 Target Context unconfined_u:object_r:default_t:s0 Target Objects lundir [ dir ] Source tgtd Source Path /usr/sbin/tgtd Port <Unknown> Host <Unknown> Source RPM Packages scsi-target-utils-1.0.4-3.el6 Target RPM Packages Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name punb200m2labs02vm6 Platform Linux punb200m2labs02vm6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010 x86_64 x86_64 Alert Count 5 First Seen Wed Sep 14 21:52:42 2011 Last Seen Wed Sep 14 21:52:46 2011 Local ID 62f7ef70-cbbc-4e73-920f-7216d892d6dd Line Numbers 21379, 21380, 21381, 21382, 21383, 21384, 21385, 21386, 21387, 21388 Raw Audit Messages type=AVC msg=audit(1316017366.542:10952): avc: denied { search } for pid=6851 comm="tgtd" name="lundir" dev=sda1 ino=807154 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:default_t:s0 tclass=dir type=SYSCALL msg=audit(1316017366.542:10952): arch=c000003e syscall=2 success=no exit=-13 a0=d33750 a1=2 a2=7fff209bce70 a3=d items=0 ppid=1 pid=6851 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) </snip> To conclude Lun does not get added if it is on a propitiatory Filesystem or Ext3 Filesystem To conclude Lun does not get added if it is on a proprietary Filesystem or Ext3 Filesystem /lundir or /lun2 is not a standard directory, so you need to label it with something tgtd_t can access. If this is a directory that tgtd_t has full control over, label it tgtd_var_lib_t # chcon -R -t tgtd_var_lib_t PATHTO/lundir # chcon -R -t tgtd_var_lib_t PATHTO/lun2 try this labeling. Since this is local customization, I am closing this as notabug. |
Description of problem: Summary: SELinux is preventing /usr/sbin/tgtd "search" access to /. Detailed Description: SELinux denied access requested by tgtd. / may be a mislabeled. / default SELinux type is root_t, but its current type is vxfs_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/', if this file is a directory, you can recursively restore using restorecon -R '/'. Fix Command: /sbin/restorecon '/' Additional Information: Source Context unconfined_u:system_r:tgtd_t:s0 Target Context system_u:object_r:vxfs_t:s0 Target Objects / [ dir ] Source tgtd Source Path /usr/sbin/tgtd Port <Unknown> Host <Unknown> Source RPM Packages scsi-target-utils-1.0.4-3.el6 Target RPM Packages filesystem-2.4.30-2.1.el6 Policy RPM selinux-policy-3.7.19-54.el6 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name restorecon Host Name punb200m2labs02vm6 Platform Linux punb200m2labs02vm6 2.6.32-71.el6.x86_64 #1 SMP Wed Sep 1 01:33:01 EDT 2010 x86_64 x86_64 Alert Count 15 First Seen Tue Sep 13 18:54:11 2011 Last Seen Wed Sep 14 21:16:24 2011 Local ID 1b8081d3-dc77-454b-8085-18ba5c13dfbc Line Numbers 10438, 10439, 10452, 10453, 10562, 10563, 10570, 10571, 20678, 20679, 20692, 20693, 20694, 20695, 20714, 20715, 20749, 20750, 20793, 20794, 20903, 20904, 20923, 20924, 20931, 20932, 21054, 21055, 21122, 21123 Raw Audit Messages type=AVC msg=audit(1316015184.747:10700): avc: denied { search } for pid=6851 comm="tgtd" name="/" dev=VxVM51000 ino=2 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:vxfs_t:s0 tclass=dir type=SYSCALL msg=audit(1316015184.747:10700): arch=c000003e syscall=2 success=no exit=-13 a0=d320d0 a1=2 a2=7fff209bce70 a3=10 items=0 ppid=1 pid=6851 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) -------------------------------------------------------------------------------- Version-Release number of selected component (if applicable): [root@punb200m2labs02vm6 vxfsshare]# rpm -qa | grep selinux selinux-policy-3.7.19-54.el6.noarch selinux-policy-targeted-3.7.19-54.el6.noarch libselinux-2.0.94-2.el6.i686 libselinux-utils-2.0.94-2.el6.x86_64 libselinux-2.0.94-2.el6.x86_64 libselinux-devel-2.0.94-2.el6.x86_64 libselinux-python-2.0.94-2.el6.x86_64 How reproducible: Always Steps to Reproduce: 1.Add a Lun on with tgtadm [root@punb200m2labs02vm6 vxfsshare]# /usr/sbin/tgtadm --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /vxfsshare/lun1 tgtadm: invalid request Actual results: Lun did not get added as SELINUX prohibited the access. Expected results: LUN should get added