Bug 832965

Summary:	AVCs when running iscsiadm
Product:	Red Hat Enterprise Linux 7	Reporter:	Michal Trunecka <mtruneck>
Component:	iscsi-initiator-utils	Assignee:	Chris Leech <cleech>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Bruno Goncalves <bgoncalv>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	7.0	CC:	bgoncalv, ebenes, mmalik, mtruneck
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-04-08 15:12:55 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Michal Trunecka 2012-06-18 09:40:16 UTC

Description of problem:
Following AVCs showed up during the iscsi automated test:
/CoreOS/selinux-policy/Regression/bz506057-iscsiadm-login-logout-AVCs

----
time->Mon Jun 18 05:34:21 2012
type=PATH msg=audit(1340012061.254:2183): item=0 name="/var/lock/iscsi/lock" inode=571697 dev=00:11 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=CWD msg=audit(1340012061.254:2183):  cwd="/"
type=SYSCALL msg=audit(1340012061.254:2183): arch=c000003e syscall=2 success=no exit=-13 a0=44ba91 a1=42 a2=1b6 a3=44bb99 items=1 ppid=1 pid=20506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1340012061.254:2183): avc:  denied  { read write } for  pid=20506 comm="iscsid" name="lock" dev="tmpfs" ino=571697 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
----
time->Mon Jun 18 05:34:21 2012
type=PATH msg=audit(1340012061.254:2184): item=1 name="/var/lock/iscsi/lock.write" inode=571696 dev=00:11 mode=040600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=PATH msg=audit(1340012061.254:2184): item=0 name="/var/lock/iscsi/lock" inode=571697 dev=00:11 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=CWD msg=audit(1340012061.254:2184):  cwd="/"
type=SYSCALL msg=audit(1340012061.254:2184): arch=c000003e syscall=86 success=no exit=-13 a0=44ba91 a1=44baa6 a2=d a3=7fff72ee4b20 items=2 ppid=1 pid=20506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1340012061.254:2184): avc:  denied  { link } for  pid=20506 comm="iscsid" name="lock" dev="tmpfs" ino=571697 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file


Version-Release number of selected component (if applicable):
iscsi-initiator-utils-6.2.0.872-18.el7.x86_64
selinux-policy-3.10.0-128.el7.noarch



Steps to Reproduce:
service iscsid start
#### And the following command causes the AVCs:
iscsiadm --mode discovery --type sendtargets --portal 10.16.41.160
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:

Comment 1 Daniel Walsh 2012-06-18 20:14:26 UTC

Does restorecon -R -v -n /var/lock

Show any mislabeled files?

Comment 2 Michal Trunecka 2012-06-20 07:19:56 UTC

restorecon -R -v -n /var/lock
restorecon reset /run/lock/iscsi context unconfined_u:object_r:var_lock_t:s0->unconfined_u:object_r:iscsi_lock_t:s0
restorecon reset /run/lock/iscsi/lock context unconfined_u:object_r:var_lock_t:s0->unconfined_u:object_r:iscsi_lock_t:s0

Comment 3 Daniel Walsh 2012-06-20 18:26:47 UTC

Any idea how these directories got created with the wrong label?  Which process created them?  initscripts?

Comment 4 Miroslav Grepl 2012-07-17 06:20:23 UTC

It looks like it is created by an initscript. We had this issue on older RHEL and Fedora.

Comment 6 RHEL Program Management 2014-03-22 07:07:31 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 12 Bruno Goncalves 2015-04-08 15:12:55 UTC

Closing this BZ as it seems to work well on RHEL-7.1