Bug 971603

Summary: selinux preventing loading of iscsi transport kernel modules
Product: [Fedora] Fedora Reporter: Chris Leech <cleech>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-52.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-15 03:06:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit.log entries related to iscsi none

Description Chris Leech 2013-06-06 21:52:46 UTC 
Created attachment 757934 [details]
audit.log entries related to iscsi

Description of problem:
With selinux in enforcing mode, iscsid cannot auto-load kernel modules needed for proper iSCSI functionality.

Version-Release number of selected component (if applicable):
3.12.1-48.fc19

How reproducible:
Always

Steps to Reproduce:
1. Have an iSCSI target record configured in /var/lib/iscsi
2. Start the iscsid.service
3. Start the iscsi.service or manually run iscsiadm -m node --login

Actual results:
Failure to login with error "iSCSI driver not found"

Expected results:
iSCSI transport kernel module loads and iSCSI session login is successful

Additional info:
In this case I'm trying to load iscsi_tcp (and it's dependant modules), but there are other transport modules for offloaded iSCSI (qla4xxx, cxgb3i, cxgb4i, bnx2i, be2iscsi, ib_iser)

Previously the iscsid startup script loaded all of the transport modules.  Instead I've enabled libkmod support in iscsid to load only the needed kernel modules on demand.
Comment 1 Miroslav Grepl 2013-06-07 07:25:39 UTC 
commit 149b344ee76b7b3a3d27e9e72649b182578eea8f
Author: Miroslav Grepl <mgrepl>
Date:   Fri Jun 7 09:25:16 2013 +0200

    Allow iscsid auto-load kernel modules needed for proper iSCSI functionalit
Comment 2 Chris Leech 2013-06-07 18:32:09 UTC 
I did my own test build of the newly merged changes in fedora scm.
The filesystem access issues are resolved, but kernel module loading still fails (without any audit.log entry) when running in enforcing mode.

I'm pretty sure it's a capability check on CAP_SYS_MODULE that's failing.

ltrace show the failed libkmod call as

kmod_module_probe_insert_module(...) = 0xffffffff

and strace show the failed syscall to be

finit_module(...) = -1 EPERM
Comment 3 Daniel Walsh 2013-06-07 19:20:29 UTC 
Currently we have in policy

   dontaudit iscsid_t iscsid_t : capability sys_module ; 

Which looks like it is covering this up.
Comment 4 Miroslav Grepl 2013-06-10 11:48:32 UTC 
Chris,
does it work with

# cat mypol.te
policy_module(mypol,1.0)
require{
 type iscsid_t;
}
dontaudit iscsid_t iscsid_t : capability sys_module ;


and 

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mypol.pp
Comment 5 Chris Leech 2013-06-10 21:46:56 UTC 
(In reply to Miroslav Grepl from comment #4)
> Chris,
> does it work with
> 
> # cat mypol.te
> policy_module(mypol,1.0)
> require{
>  type iscsid_t;
> }
> dontaudit iscsid_t iscsid_t : capability sys_module ;
> 
> 
> and 
> 
> # make -f /usr/share/selinux/devel/Makefile
> # semodule -i mypol.pp

No.  The dontaudit filtering is what was confusing me, not what I'm after.

I'd like to allow iscsid to load kernel modules.
Something like this (working for me)

allow iscsid_t self:capability { sys_module };

If there's a reason we can't allow that, I'll have to go back to forcing all the iscsi related modules to be loaded.
Comment 6 Miroslav Grepl 2013-06-12 18:05:56 UTC 
Chris,
I wanted to write

allow iscsid_t iscsid_t : capability sys_module ;
Comment 7 Chris Leech 2013-06-12 18:11:11 UTC 
(In reply to Miroslav Grepl from comment #6)
> Chris,
> I wanted to write
> 
> allow iscsid_t iscsid_t : capability sys_module ;

Yes, that works
Comment 8 Miroslav Grepl 2013-06-13 09:05:26 UTC 
commit 9692eb1a90de66bf7e2b3846b5f2bf5a86835233
Author: Miroslav Grepl <mgrepl>
Date:   Thu Jun 13 11:05:10 2013 +0200

    iscsid needs sys_module to auto-load kernel modules
Comment 9 Fedora Update System 2013-06-14 07:23:56 UTC 
selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19
Comment 10 Fedora Update System 2013-06-15 03:06:54 UTC 
selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.