Hide Forgot
Description of problem: Trying to login to iSCSI session using iSER driver fails. type=SYSCALL msg=audit(1382360859.900:20): arch=c000003e syscall=1 success=no exit=-12 a0=4 a1=7fffb76f8890 a2=30 a3=30 items=0 ppid=1 pid=3246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1382360859.900:20): avc: denied { ipc_lock } for pid=3246 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability type=AVC msg=audit(1382360859.900:20): avc: denied { ipc_lock } for pid=3246 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability Version-Release number of selected component (if applicable): selinux-policy-3.7.19-224.el6.noarch How reproducible: 100% Steps to Reproduce: 1.Configure an iSCSI target cat /etc/tgt/targets.conf default-driver iser <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /var/lib/tgtd/loop-disk-1-1> scsi_sn 6976011 scsi_id 6976011 lun 1 bs-type rdwr device-type disk </backing-store> </target> service tgtd start 2.On Initiator discover target using iser interface. iscsiadm -m discovery -I iser -p 192.168.0.4 -t st Starting iscsid: [ OK ] [ OK ] 192.168.0.4:3260,1 iqn.2009-10.com.redhat:storage-1 3.Try to login to session iscsiadm -m node -l iscsiadm: Could not login to [iface: iser, target: iqn.2009-10.com.redhat:storage-1, portal: 192.168.0.4,3260]. iscsiadm: initiator reported error (8 - connection timed out) iscsiadm: Could not log into all portals
Hi Bruno, are there other AVCs when you run the reproducer in permissive mode?
With selinux in permissive, it seems to have the same message, but it allows session login. type=SYSCALL msg=audit(1382436902.376:18): arch=c000003e syscall=29 success=no exit=-12 a0=0 a1=40000000 a2=b80 a3=18 items=0 ppid=1 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1382436902.376:18): avc: denied { ipc_lock } for pid=3197 comm="tgtd" capability=14 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
a6969185e9e61786551f4322387ff1a5276f7da0 fixes this in git.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html