Bug 842536
Summary: | [FCoE] fcoe-utils cannot create FCoE session with SELinux enabled. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Gris Ge <fge> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | ||||||
Severity: | urgent | Docs Contact: | |||||||
Priority: | urgent | ||||||||
Version: | 7.0 | CC: | chaowang, dwalsh, edwardn, mbanas, mmalik, ohudlick, pfrields, qcai, salmy, xiaoli | ||||||
Target Milestone: | alpha | Keywords: | Regression, TestBlocker | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-06-13 10:21:49 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Gris Ge
2012-07-24 06:58:36 UTC
Workaround found: === fipvlan -c p2p1 fipvlan -c p2p2 echo p2p1.802 > /sys/module/libfcoe/parameters/create echo p2p2.802 > /sys/module/libfcoe/parameters/create === The new sysfs file for soft FCoE creation changed to === /sys/module/libfcoe/parameters/create # ^^^^^^^ === So current problem is: 1. dcbtool didn't create sub interface via fipvlan. Expected interface name should be p2p1.<VLAN_ID>-fcoe 2. fcoeadm cannot create fcoe session automatically. Reproduced on rhel7 pre-beta compose(0903.n.1), fcoe-utils-1.0.24-1.el7.x86_64 kernel-3.5.0-0.24.el7 But can work around regarding comment 1 Note: I've just updated fcoe-utils to 1.0.25 in el7. Petr Šabata, Issue still exists on fcoe-utils-1.0.25-2.el7.x86_64. This is blocked by SELinux. Everything seems to work properly with SELinux disabled. Denials found in the audit.log: type=AVC msg=audit(1361872880.616:321): avc: denied { create } for pid=16387 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361872880.617:322): avc: denied { create } for pid=16387 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361872944.653:323): avc: denied { create } for pid=16387 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=udp_socket type=AVC msg=audit(1361872944.653:324): avc: denied { write } for pid=16387 comm="fcoemon" name="create" dev="sysfs" ino=17985 scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file type=AVC msg=audit(1361872944.653:325): avc: denied { sendto } for pid=16387 comm="fcoemon" path=003030303039 scontext=system_u:system_r:fcoemon_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1361873064.798:327): avc: denied { sendto } for pid=16387 comm="fcoemon" path=003030303061 scontext=system_u:system_r:fcoemon_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1361873105.291:331): avc: denied { create } for pid=16423 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361873105.291:331): avc: denied { net_raw } for pid=16423 comm="fcoemon" capability=13 scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=capability type=AVC msg=audit(1361873105.291:332): avc: denied { ioctl } for pid=16423 comm="fcoemon" path="socket:[28315]" dev="sockfs" ino=28315 scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361873105.300:333): avc: denied { setopt } for pid=16423 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361873105.300:334): avc: denied { bind } for pid=16423 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=packet_socket type=AVC msg=audit(1361873105.374:335): avc: denied { create } for pid=16423 comm="fcoemon" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=udp_socket type=AVC msg=audit(1361873105.374:336): avc: denied { ioctl } for pid=16423 comm="fcoemon" path="socket:[36592]" dev="sockfs" ino=36592 scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:fcoemon_t:s0 tclass=udp_socket type=AVC msg=audit(1361873105.374:337): avc: denied { write } for pid=16423 comm="fcoemon" name="create" dev="sysfs" ino=17985 scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file We need to add fixes for fcoemon_t policy. type=AVC msg=audit(1361872944.653:325): avc: denied { sendto } for pid=16387 comm="fcoemon" path=003030303039 scontext=system_u:system_r:fcoemon_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket type=AVC msg=audit(1361873064.798:327): avc: denied { sendto } for pid=16387 comm="fcoemon" path=003030303061 scontext=system_u:system_r:fcoemon_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket Any idea with which process does fcoemon communicate? My guess is lldpad (lldpad_t). Hi guys, could you run the reproducer in permissive mode, gather all AVCs and attach them here? I don't know the configuration of p2p1 and p2p2 devices. Created attachment 703836 [details]
SELinux log when creating FCoE
The server is storageqe-13.rhts.eng.bos.redhat.com with default password.
If this log does not meet your need, please feel free to login and check around.
Thanks.
Confirmed, with SELinux disabled, fcoe-utils can create FCoE session as expected.
Changed the title of this bug as bnx2fc also fail with SElinux issue. (In reply to comment #11) > My guess is lldpad (lldpad_t) But we see unconfined_t. Maybe it has been started by hand. I added some fixes to rawhide. Could it be fixed in selinux-policy 3.11.1 ? FCoE session automatically created with these SELinux rpms: === libselinux-utils-2.1.13-3.el7.x86_64 libselinux-2.1.13-3.el7.x86_64 libselinux-python-2.1.13-3.el7.x86_64 selinux-policy-devel-3.11.1-75.el7.noarch selinux-policy-3.12.1-29.el7.noarch selinux-policy-targeted-3.12.1-29.el7.noarch selinux-policy-doc-3.12.1-29.el7.noarch === But be advised, RHEL-7.0-20130403.0 repo is still holding the old SELinux. Once new selinux rpms goes to any RTT repo, will try again. It looks like we are still seeing this issue with bnx2fc and SELinux enabled with RH7.0 SS1 release. Does anyone know if this is supposed to be fixed? Thanks. (In reply to edwardn from comment #24) > It looks like we are still seeing this issue with bnx2fc and SELinux enabled > with RH7.0 SS1 release. Does anyone know if this is supposed to be fixed? > Thanks. Are you getting AVC msgs? (In reply to Miroslav Grepl from comment #25) > Are you getting AVC msgs? Seeing the following message when running the fcoeadm command below. Jan 16 10:22:02 b154 setroubleshoot: SELinux is preventing /usr/sbin/fcoemon from sendto access on the unix_dgram_socket @fcm_clif/139897063048592. For complete SELinux messages. run sealert -l 3d667027-f565-4246-97be-a2876223c66a [root@b154 ~]# fcoeadm -c em2 fcoeadm: Internal error Try 'fcoeadm --help' for more information. Attached log (sealert.log) is the output when running "sealert -l 3d667027-f565-4246-97be-a2876223c66a". If selinux is disabled in /etc/selinux/config, problem is not seen. Created attachment 851218 [details]
sealert.log
(In reply to edwardn from comment #27) > Created attachment 851218 [details] > sealert.log We have another bug for this issue. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |