Bug 837570
| Summary: | tgtd fails to start with selinux on enforce mode | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Bruno Goncalves <bgoncalv> |
| Component: | scsi-target-utils | Assignee: | Andy Grover <agrover> |
| Status: | CLOSED WONTFIX | QA Contact: | Bruno Goncalves <bgoncalv> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 6.3 | CC: | fge, mgrepl |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-12-06 10:28:42 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development. This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate, in the next release of Red Hat Enterprise Linux. # matchpathcon /var/lib/tgtd /var/lib/tgtd system_u:object_r:tgtd_var_lib_t:s0 tells me the /var/lib/tgtd is mislabeled. # restorecon -R -v /var/lib/tgtd Did you re-create it? What does # rpm -qf /var/lib/tgtd What would be the expected return of # matchpathcon /var/lib/tgtd ? I don't know if retosrecon has been executed before, but I need to run it once before starting tgtd. rpm -qf /var/lib/tgtd file /var/lib/tgtd is not owned by any package Ok, this is a problem. How is this directory created? This directory is created manually as it seems tgtd does not have any place to store the LUN images. (In reply to comment #7) > This directory is created manually as it seems tgtd does not have any place > to store the LUN images. Then the restorecon is needed. Also this directory should be created by rpm then it gets the correct labeling. This request was not resolved in time for the current release. Red Hat invites you to ask your support representative to propose this request, if still desired, for consideration in the next release of Red Hat Enterprise Linux. Red Hat Enterprise Linux 6 is in the Production 3 Phase. During the Production 3 Phase, Critical impact Security Advisories (RHSAs) and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as they become available. The official life cycle policy can be reviewed here: http://redhat.com/rhel/lifecycle This issue does not meet the inclusion criteria for the Production 3 Phase and will be marked as CLOSED/WONTFIX. If this remains a critical requirement, please contact Red Hat Customer Support to request a re-evaluation of the issue, citing a clear business justification. Note that a strong business justification will be required for re-evaluation. Red Hat Customer Support can be contacted via the Red Hat Customer Portal at the following URL: https://access.redhat.com/ |
Description of problem: tgtd is not able to start when there is some LUN configured and selinux is on enforce mode. Version-Release number of selected component (if applicable): rpm -q scsi-target-utils scsi-target-utils-1.0.24-2.el6.x86_64 rpm -q selinux-policy selinux-policy-3.7.19-154.el6.noarch How reproducible: 100% Steps to Reproduce: 1.set selinux to enforce: echo 1 > /selinux/enforce 2.service tgtd restart Stopping SCSI target daemon: [ OK ] Starting SCSI target daemon: [ OK ] tgtadm: invalid request Command: tgtadm -C 0 --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /var/lib/tgtd/loop-disk-1-1 Actual results: backed_file_open(92) Could not open /var/lib/tgtd/loop-disk-1-1 ausearch -m avc -ts recent |grep tgtd type=SYSCALL msg=audit(1341392755.939:41): arch=c000003e syscall=2 success=no exit=-13 a0=2492880 a1=2 a2=7fff56d00eb0 a3=1c items=0 ppid=1 pid=9980 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1341392755.939:41): avc: denied { read write } for pid=9980 comm="tgtd" name="loop-disk-1-1" dev=dm-0 ino=174084 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file type=SYSCALL msg=audit(1341392755.939:42): arch=c000003e syscall=2 success=no exit=-13 a0=2492880 a1=0 a2=7fff56d00eb0 a3=2c312d312d6b7369 items=0 ppid=1 pid=9980 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1341392755.939:42): avc: denied { read } for pid=9980 comm="tgtd" name="loop-disk-1-1" dev=dm-0 ino=174084 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file Expected results: tgtd should start without any problem. Additional info: There is one workaround that is to add /var/lib/tgtd to tgtd spec file, running: restorecon -R -v /var/lib/tgtd If tgtd creates this directory automatically the workaround might not be necessary, and also needs to update the manual to inform the user to create the LUNs under this directory.