Bug 1021566 - iser: selinux does not allow login to the session
Summary: iser: selinux does not allow login to the session
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.5
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Bruno Goncalves
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-21 14:19 UTC by Bruno Goncalves
Modified: 2013-11-21 10:53 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-227.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:53:15 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Bruno Goncalves 2013-10-21 14:19:15 UTC
Description of problem:
Trying to login to iSCSI session using iSER driver fails.

type=SYSCALL msg=audit(1382360859.900:20): arch=c000003e syscall=1 success=no exit=-12 a0=4 a1=7fffb76f8890 a2=30 a3=30 items=0 ppid=1 pid=3246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-224.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Configure an iSCSI target
cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 6976011
        scsi_id 6976011
        lun 1
        bs-type rdwr
        device-type disk
    </backing-store>
</target>

service tgtd start

2.On Initiator discover target using iser interface.
iscsiadm -m discovery -I iser -p 192.168.0.4 -t st
Starting iscsid: [  OK  ]
[  OK  ]
192.168.0.4:3260,1 iqn.2009-10.com.redhat:storage-1

3.Try to login to session
iscsiadm -m node -l
iscsiadm: Could not login to [iface: iser, target: iqn.2009-10.com.redhat:storage-1, portal: 192.168.0.4,3260].
iscsiadm: initiator reported error (8 - connection timed out)
iscsiadm: Could not log into all portals

Comment 2 Milos Malik 2013-10-22 07:46:08 UTC
Hi Bruno, are there other AVCs when you run the reproducer in permissive mode?

Comment 3 Bruno Goncalves 2013-10-22 12:19:20 UTC
With selinux in permissive, it seems to have the same message, but it allows session login.


type=SYSCALL msg=audit(1382436902.376:18): arch=c000003e syscall=29 success=no exit=-12 a0=0 a1=40000000 a2=b80 a3=18 items=0 ppid=1 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382436902.376:18): avc:  denied  { ipc_lock } for  pid=3197 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability

Comment 4 Daniel Walsh 2013-10-22 15:23:09 UTC
a6969185e9e61786551f4322387ff1a5276f7da0 fixes this in git.

Comment 7 errata-xmlrpc 2013-11-21 10:53:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.