Bug 1021566 - iser: selinux does not allow login to the session
iser: selinux does not allow login to the session
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Bruno Goncalves
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-21 10:19 EDT by Bruno Goncalves
Modified: 2013-11-21 05:53 EST (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-227.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 05:53:15 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruno Goncalves 2013-10-21 10:19:15 EDT
Description of problem:
Trying to login to iSCSI session using iSER driver fails.

type=SYSCALL msg=audit(1382360859.900:20): arch=c000003e syscall=1 success=no exit=-12 a0=4 a1=7fffb76f8890 a2=30 a3=30 items=0 ppid=1 pid=3246 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
type=AVC msg=audit(1382360859.900:20): avc:  denied  { ipc_lock } for  pid=3246 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-224.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.Configure an iSCSI target
cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 6976011
        scsi_id 6976011
        lun 1
        bs-type rdwr
        device-type disk
    </backing-store>
</target>

service tgtd start

2.On Initiator discover target using iser interface.
iscsiadm -m discovery -I iser -p 192.168.0.4 -t st
Starting iscsid: [  OK  ]
[  OK  ]
192.168.0.4:3260,1 iqn.2009-10.com.redhat:storage-1

3.Try to login to session
iscsiadm -m node -l
iscsiadm: Could not login to [iface: iser, target: iqn.2009-10.com.redhat:storage-1, portal: 192.168.0.4,3260].
iscsiadm: initiator reported error (8 - connection timed out)
iscsiadm: Could not log into all portals
Comment 2 Milos Malik 2013-10-22 03:46:08 EDT
Hi Bruno, are there other AVCs when you run the reproducer in permissive mode?
Comment 3 Bruno Goncalves 2013-10-22 08:19:20 EDT
With selinux in permissive, it seems to have the same message, but it allows session login.


type=SYSCALL msg=audit(1382436902.376:18): arch=c000003e syscall=29 success=no exit=-12 a0=0 a1=40000000 a2=b80 a3=18 items=0 ppid=1 pid=3197 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1382436902.376:18): avc:  denied  { ipc_lock } for  pid=3197 comm="tgtd" capability=14  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
Comment 4 Daniel Walsh 2013-10-22 11:23:09 EDT
a6969185e9e61786551f4322387ff1a5276f7da0 fixes this in git.
Comment 7 errata-xmlrpc 2013-11-21 05:53:15 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.