Bug 909857

Summary: tgtd: it is not able to start or stop if it is configured to use iser with selinux
Product: Red Hat Enterprise Linux 6 Reporter: Bruno Goncalves <bgoncalv>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.4CC: dwalsh, lnovich, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 10:15:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux policy
none
updated policy none

Description Bruno Goncalves 2013-02-11 10:28:15 UTC 
Description of problem:

If tgtd is configured with iser driver, tgtd is not able to start nor stop properly.
Disabling selinux seems to solve the problem.


Version-Release number of selected component (if applicable):
rpm -q scsi-target-utils
scsi-target-utils-1.0.24-2.el6.x86_64

rpm -q selinux-policy
selinux-policy-3.7.19-195.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23710     1  0 05:16 ?        00:00:00 tgtd
root     23711 23710  0 05:16 ?        00:00:00 tgtd
root     23733  9467  0 05:17 pts/0    00:00:00 /bin/grep --color=tty tgtd

2.service tgtd stop
Stopping SCSI target daemon: [  OK  ]


3.ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     10725     1  0 05:07 ?        00:00:00 tgtd
root     10726 10725  0 05:07 ?        00:00:00 tgtd
root     23751  9467  0 05:18 pts/0    00:00:00 /bin/grep --color=tty tgtd


4. service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [  OK  ]
tgtadm: can't find the driver
Command:
	tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1
exited with code: 22.


5. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     10725     1  0 05:07 ?        00:00:00 tgtd
root     10726 10725  0 05:07 ?        00:00:00 tgtd
root     23768     1  0 05:19 ?        00:00:00 tgtd
root     23769 23768  0 05:19 ?        00:00:00 tgtd
root     23779  9467  0 05:19 pts/0    00:00:00 /bin/grep --color=tty tgtd

6. killall -9 tgtd

7. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23785  9467  0 05:20 pts/0    00:00:00 /bin/grep --color=tty tgtd

8. service tgtd start
Starting SCSI target daemon: [  OK  ]
tgtadm: can't find the driver
Command:
	tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1
exited with code: 22.

9. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23868     1  0 05:22 ?        00:00:00 tgtd
root     23869 23868  0 05:22 ?        00:00:00 tgtd
root     23879  9467  0 05:22 pts/0    00:00:00 /bin/grep --color=tty tgtd



Additional info:
cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 1
        scsi_id 1
        lun 1
    </backing-store>
</target>
Comment 1 Bruno Goncalves 2013-02-11 12:28:10 UTC 
Created attachment 696053 [details]
selinux policy

the attached policy seems to fix the problem.
Comment 2 Miroslav Grepl 2013-02-11 16:03:49 UTC 
Could you attach AVC msgs to this local policy?
Comment 3 Bruno Goncalves 2013-02-12 08:26:36 UTC 
Created attachment 696401 [details]
updated policy

It seems the previous policy added extra rules. This is an updated one.

type=AVC msg=audit(1360656927.397:253): avc:  denied  { read write } for  pid=2460 comm="tgtd" name="uverbs0" dev=devtmpfs ino=11355 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1360656927.397:253): arch=c000003e syscall=2 success=no exit=-13 a0=10202e0 a1=2 a2=0 a3=18 items=0 ppid=2459 pid=2460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
Comment 4 Daniel Walsh 2013-02-12 18:02:03 UTC 
What kind of device is uverbs0
Comment 5 Daniel Walsh 2013-02-12 18:03:24 UTC 
fixed_disk_device_t?
Comment 6 Bruno Goncalves 2013-02-13 08:44:04 UTC 
It is infiniband device.

ls -lZ /dev/infiniband/uverbs0 
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/infiniband/uverbs0

http://www.kernel.org/doc/Documentation/infiniband/user_verbs.txt
Comment 7 Daniel Walsh 2013-02-15 15:34:02 UTC 
Ok so we should label it fixed_disk_device_t.
Comment 8 Daniel Walsh 2013-02-15 16:05:51 UTC 
semanage fcontext -a -t fixed_disk_device_t -f-b "/dev/infiniband/.*"
semanage fcontext -a -t fixed_disk_device_t -f-c "/dev/infiniband/.*"

Should apply the fixes we have added, and then run

restorecon -R -v /dev/infiniband
Comment 9 Bruno Goncalves 2013-02-18 08:07:54 UTC 
Executing the commands above solved the problem. 
Although how can it be done automatically? Should scsi-target-utils or selinux-policy handle it?
Comment 10 Miroslav Grepl 2013-02-18 09:49:33 UTC 
The udev will take care about labeling if we have the labeling in the policy.
Comment 15 Miroslav Grepl 2013-08-06 12:00:52 UTC 
I back ported tgtd fixes from Fedora.
Comment 17 Bruno Goncalves 2013-08-14 12:43:57 UTC 
Verified fix on rpm -q selinux-policy
selinux-policy-3.7.19-211.el6.noarch

rpm -q scsi-target-utils
scsi-target-utils-1.0.24-2.el6.x86_64

getenforce 
Enforcing


cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 1
        scsi_id 1
        lun 1
    </backing-store>
</target>


service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [  OK  ]
Comment 18 errata-xmlrpc 2013-11-21 10:15:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html