Bug 749136

Summary: SELinux is preventing /sbin/iscsid from unlink access on the file lock.write.
Product: [Fedora] Fedora Reporter: Slawomir Czarko <slawomir.czarko>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 19:59:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Slawomir Czarko 2011-10-26 09:57:57 UTC
Description of problem:

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that iscsid should be allowed unlink access on the lock.write file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iscsid_t:s0
Target Context                unconfined_u:object_r:var_lock_t:s0
Target Objects                lock.write [ file ]
Source                        iscsid
Source Path                   /sbin/iscsid
Port                          <Unknown>
Host                          jenkins
Source RPM Packages           iscsi-initiator-utils-6.2.0.872-12.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-39.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     jenkins
Platform                      Linux jenkins 2.6.40.6-0.fc15.i686.PAE #1 SMP Tue
                              Oct 4 00:44:38 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Wed Oct 26 11:20:37 2011
Last Seen                     Wed Oct 26 11:20:37 2011
Local ID                      837ea7d1-6155-45e5-bfd5-64c2c1887d0a

Raw Audit Messages
type=AVC msg=audit(1319620837.947:446): avc:  denied  { unlink } for  pid=15573 comm="iscsid" name="lock.write" dev=tmpfs ino=304044 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file


type=SYSCALL msg=audit(1319620837.947:446): arch=i386 syscall=unlink success=no exit=EACCES a0=80923cc a1=8b938b8 a2=0 a3=8ba3740 items=0 ppid=1 pid=15573 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsid exe=/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null)

Hash: iscsid,iscsid_t,var_lock_t,file,unlink

audit2allow

#============= iscsid_t ==============
allow iscsid_t var_lock_t:file unlink;

audit2allow -R

#============= iscsid_t ==============
allow iscsid_t var_lock_t:file unlink;


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. service iscsid start
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Miroslav Grepl 2011-10-26 12:35:34 UTC
*** Bug 749138 has been marked as a duplicate of this bug. ***

Comment 2 Miroslav Grepl 2011-10-26 12:35:52 UTC
*** Bug 749140 has been marked as a duplicate of this bug. ***

Comment 3 Daniel Walsh 2011-10-26 12:52:23 UTC
Does 

restorecon -R -v /var/lock/iscsi

Fix the problem.

Comment 4 Slawomir Czarko 2011-10-26 12:59:08 UTC
(In reply to comment #3)
> Does 
> 
> restorecon -R -v /var/lock/iscsi
> 
> Fix the problem.

There was no output from

restorecon -R -v /var/lock/

so I guess not.

I installed a custom policy module to deal with this and the similar issues:

module iscsid 1.0;

require {
        type iscsid_t;
        type var_lock_t;
        class file { read write unlink open link };
}

#============= iscsid_t ==============
allow iscsid_t var_lock_t:file { unlink open };

allow iscsid_t var_lock_t:file { read write link };

Comment 5 Miroslav Grepl 2011-10-26 13:04:34 UTC
Slawomir,
try to run

# chcon -R -t iscsi_lock_t /var/lock/iscsi

Comment 6 Miroslav Grepl 2011-10-26 13:06:51 UTC
Also what does

# matchpathcon /var/lock/iscsi

Comment 7 Slawomir Czarko 2011-10-26 13:08:44 UTC
(In reply to comment #5)
> Slawomir,
> try to run
> 
> # chcon -R -t iscsi_lock_t /var/lock/iscsi

Do I need to unload custom policy module first?

(In reply to comment #6)
> Also what does
> 
> # matchpathcon /var/lock/iscsi

/var/lock/iscsi system_u:object_r:iscsi_lock_t:s0

Comment 8 Fedora End Of Life 2012-08-07 19:59:09 UTC
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping