Bug 1003571 - selinux: does not allow connection to tgtd when using iSNS
Summary: selinux: does not allow connection to tgtd when using iSNS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Bruno Goncalves
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-09-02 11:59 UTC by Bruno Goncalves
Modified: 2013-11-21 10:50 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-214.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:50:23 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Bruno Goncalves 2013-09-02 11:59:52 UTC 
Description of problem:
Fail to discovery iSNS target from a server running tgtd and iSNSd

----
time->Fri Aug 30 15:42:23 2013
type=SYSCALL msg=audit(1377891743.032:23): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=649a60 a2=80 a3=7ffff5ef0590 items=0 ppid=1 pid=13018 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1377891743.032:23): avc:  denied  { name_connect } for  pid=13018 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket
----
time->Fri Aug 30 15:42:34 2013
type=SYSCALL msg=audit(1377891754.851:25): arch=c000003e syscall=42 success=no exit=-13 a0=d a1=649a60 a2=80 a3=538 items=0 ppid=1 pid=13585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1377891754.851:25): avc:  denied  { name_connect } for  pid=13585 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket
----
time->Fri Aug 30 15:42:34 2013
type=SYSCALL msg=audit(1377891754.833:24): arch=c000003e syscall=42 success=no exit=-13 a0=c a1=649a60 a2=80 a3=7fffd5bcb820 items=0 ppid=1 pid=13585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1377891754.833:24): avc:  denied  { name_connect } for  pid=13585 comm="tgtd" dest=3205 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:isns_port_t:s0 tclass=tcp_socket
----

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-212.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Create a tgtd target with 1 target and 1 lun

2.Configure it to use a local isnsd service
add to targets.conf
iSNSServerIP 127.0.0.1
iSNSServerPort 3205
iSNS On

3.iscsiadm -m discoverydb -t isns -p 127.0.0.1 --discover
iscsiadm: No portals found



Actual results:
Fails to find target, disabling selinux works.

Expected results:
Target should be discovered

Additional info:
Comment 1 Bruno Goncalves 2013-09-02 12:04:02 UTC 
this rule seems to solve the problem.

cat tgtd_isns.te 

module tgtd_isns 1.0;

require {
	type tgtd_t;
	type isns_port_t;
	class tcp_socket name_connect;
}

#============= tgtd_t ==============
allow tgtd_t isns_port_t:tcp_socket name_connect;
Comment 2 Daniel Walsh 2013-09-04 14:08:38 UTC 
Any other ports it should be allowed to connect to ?

45c585c5b76bdd00d11b7beaf2ef31985b548526 fixes this in git
Comment 3 Bruno Goncalves 2013-09-04 14:14:13 UTC 
I believe this is the only port, unless the user decides to use a port that is not the default one...
Comment 4 Daniel Walsh 2013-09-04 14:15:55 UTC 
We only care about defaults.
Comment 6 Bruno Goncalves 2013-09-11 12:58:55 UTC 
Verified with selinux-policy-3.7.19-214.el6.noarch


iscsiadm -m discoverydb -t isns -p 127.0.0.1 --discover
Starting iscsid: [  OK  ]
[  OK  ]
127.0.0.1:3260,1 iqn.2009-10.com.redhat:storage-1

iscsiadm -m node -l 
Logging in to [iface: isns_iface, target: iqn.2009-10.com.redhat:storage-1, portal: 127.0.0.1,3260] (multiple)
Login to [iface: isns_iface, target: iqn.2009-10.com.redhat:storage-1, portal: 127.0.0.1,3260] successful.
Comment 7 errata-xmlrpc 2013-11-21 10:50:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.