Bug 972962
Summary: | iscsid denied from lockfile when socket activated | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Chris Leech <cleech> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | cleech, dominick.grift, dwalsh, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-52.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-15 03:07:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Leech
2013-06-10 23:21:21 UTC
Chris, what does # ls -dZ /var/lock/iscsi it looks you have mislabeled this directory caused by testing. I see # rpm -qf /var/lock/iscsi iscsi-initiator-utils-6.2.0.873-5.fc19.x86_64 # ls -dZ drwxr-xr-x. root root staff_u:object_r:iscsi_lock_t:s0 /var/lock/iscsi Also what does # rpm -qf selinux-policy commit 7c3caf353e3e17b6654411176be7172d6a6759af Author: Miroslav Grepl <mgrepl> Date: Tue Jun 11 12:32:48 2013 +0200 Add labeling for /usr/sbin/iscsiadm The added labeling for iscsiadm works when it's being called as part of the iscsi.service unit file from systemd. It does not fix the issue when iscsiadm is run from a command line shell. Is that because transitions directly from a manually run command to the iscsid_exec_t domain are prohibited? (sorry, I'm still trying to wrap my head around this all) I'm thinking I should probably make use of the systemd tmpfiles service to make sure these are created with proper labels before any manual admin commands can be run. If you run it from the command line then there is no transition and you stay as unconfined_t. But I found the problem. I added additional fixes. You can test it with the following local policy # cat mypol.te policy_module(mypol,1.0) require{ type unconfined_t; type iscsi_lock_t; } files_lock_filetrans(unconfined_t, iscsi_lock_t, dir, "iscsi") (In reply to Miroslav Grepl from comment #4) > If you run it from the command line then there is no transition and you stay > as unconfined_t. > > But I found the problem. I added additional fixes. You can test it with the > following local policy > > # cat mypol.te > policy_module(mypol,1.0) > > require{ > type unconfined_t; > type iscsi_lock_t; > } > > files_lock_filetrans(unconfined_t, iscsi_lock_t, dir, "iscsi") That works, thanks! selinux-policy-3.12.1-52.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-52.fc19 selinux-policy-3.12.1-52.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |