First Last Prev Next    This bug is not in your last search results.
Bug 1021566 - iser: selinux does not allow login to the session
iser: selinux does not allow login to the session
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Bruno Goncalves
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-21 10:19 EDT by Bruno Goncalves
Modified: 2013-11-21 05:53 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-227.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:53:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Bruno Goncalves 2013-10-21 10:19:15 EDT 
Description of problem:
Trying to login to iSCSI session using iSER driver fails.

type=SYSCALL msg=audit(1382360859.900:20): arch=c000003e syscall=1 success=no exit=-12 a0=4 a1=7fffb76f8890 a2=30 a3=30 items=0 ppid=1 pid=3246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-224.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Configure an iSCSI target
cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 6976011
        scsi_id 6976011
        lun 1
        bs-type rdwr
        device-type disk
    </backing-store>
</target>

service tgtd start

2.On Initiator discover target using iser interface.
iscsiadm -m discovery -I iser -p 192.168.0.4 -t st
Starting iscsid: [  OK  ]
[  OK  ]
192.168.0.4:3260,1 iqn.2009-10.com.redhat:storage-1

3.Try to login to session
iscsiadm -m node -l
iscsiadm: Could not login to [iface: iser, target: iqn.2009-10.com.redhat:storage-1, portal: 192.168.0.4,3260].
iscsiadm: initiator reported error (8 - connection timed out)
iscsiadm: Could not log into all portals
Comment 2 Milos Malik 2013-10-22 03:46:08 EDT 
Hi Bruno, are there other AVCs when you run the reproducer in permissive mode?
Comment 3 Bruno Goncalves 2013-10-22 08:19:20 EDT 
With selinux in permissive, it seems to have the same message, but it allows session login.


type=SYSCALL msg=audit(1382436902.376:18): arch=c000003e syscall=29 success=no exit=-12 a0=0 a1=40000000 a2=b80 a3=18 items=0 ppid=1 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382436902.376:18): avc:  denied  { ipc_lock } for  pid=3197 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
Comment 4 Daniel Walsh 2013-10-22 11:23:09 EDT 
a6969185e9e61786551f4322387ff1a5276f7da0 fixes this in git.
Comment 7 errata-xmlrpc 2013-11-21 05:53:15 EST 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.