Bug 909857
Summary: | tgtd: it is not able to start or stop if it is configured to use iser with selinux | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Bruno Goncalves <bgoncalv> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | 6.4 | CC: | dwalsh, lnovich, mmalik | ||||||
Target Milestone: | rc | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | selinux-policy-3.7.19-210.el6 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-11-21 10:15:43 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Bruno Goncalves
2013-02-11 10:28:15 UTC
Created attachment 696053 [details]
selinux policy
the attached policy seems to fix the problem.
Could you attach AVC msgs to this local policy? Created attachment 696401 [details]
updated policy
It seems the previous policy added extra rules. This is an updated one.
type=AVC msg=audit(1360656927.397:253): avc: denied { read write } for pid=2460 comm="tgtd" name="uverbs0" dev=devtmpfs ino=11355 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1360656927.397:253): arch=c000003e syscall=2 success=no exit=-13 a0=10202e0 a1=2 a2=0 a3=18 items=0 ppid=2459 pid=2460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
What kind of device is uverbs0 fixed_disk_device_t? It is infiniband device. ls -lZ /dev/infiniband/uverbs0 crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/infiniband/uverbs0 http://www.kernel.org/doc/Documentation/infiniband/user_verbs.txt Ok so we should label it fixed_disk_device_t. semanage fcontext -a -t fixed_disk_device_t -f-b "/dev/infiniband/.*" semanage fcontext -a -t fixed_disk_device_t -f-c "/dev/infiniband/.*" Should apply the fixes we have added, and then run restorecon -R -v /dev/infiniband Executing the commands above solved the problem. Although how can it be done automatically? Should scsi-target-utils or selinux-policy handle it? The udev will take care about labeling if we have the labeling in the policy. I back ported tgtd fixes from Fedora. Verified fix on rpm -q selinux-policy selinux-policy-3.7.19-211.el6.noarch rpm -q scsi-target-utils scsi-target-utils-1.0.24-2.el6.x86_64 getenforce Enforcing cat /etc/tgt/targets.conf default-driver iser <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /var/lib/tgtd/loop-disk-1-1> scsi_sn 1 scsi_id 1 lun 1 </backing-store> </target> service tgtd restart Stopping SCSI target daemon: not running[FAILED] Starting SCSI target daemon: [ OK ] Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html |