Bug 1025401 - Add some iscsi permissions
Add some iscsi permissions
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks: 1011193 1057761
  Show dependency treegraph
 
Reported: 2013-10-31 11:28 EDT by Fabian Deutsch
Modified: 2014-09-24 11:07 EDT (History)
5 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.19.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-03-15 11:22:07 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Fabian Deutsch 2013-10-31 11:28:20 EDT
Description of problem:
As discovered in bug 1011193, some iscsi permissions are missing.

Version-Release number of selected component (if applicable):
Latest f19 (updates)
Please note that this appeared on oVirt Node (which is a r/o rootfs/livecd)


Description:
# audit2allow -alR

require {
...
	type iscsid_t;
...
}

# COMMENT: Should these also be added?
#============= initrc_t ==============
allow initrc_t sshd_net_t:process dyntransition;
allow initrc_t unconfined_t:process dyntransition;

# COMMENT: The missing permissions
#============= iscsid_t ==============
allow iscsid_t iscsi_var_lib_t:dir { write remove_name create add_name rmdir };
allow iscsid_t iscsi_var_lib_t:file { write create unlink };
allow iscsid_t iscsi_var_lib_t:lnk_file { create unlink };
Comment 1 Miroslav Grepl 2014-02-18 05:01:23 EST
You have sshd daemon running as initrc_t?

# ps -efZ |grep initrc
Comment 2 Lukas Vrabec 2014-02-19 10:19:40 EST
I fixed problems with isci_var_lib_t labels, but please respond to the comment above.

commit c2929a0a2d32b5bafc86b44f4d51ad13e6a86b7b
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 19 16:15:16 2014 +0100

    Allow iscsi to manage iscsi_var_lib_t files and dirs
Comment 3 Lukas Vrabec 2014-02-19 10:23:52 EST
I added one more rule.

commit 8e1094f696ce6cb3c84d9da1d926d1ec3337c349
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Feb 19 16:23:18 2014 +0100

    Added var_lib filetrans in iscsi policy
Comment 4 Fedora Update System 2014-02-24 08:16:23 EST
selinux-policy-3.12.1-74.19.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.19.fc19
Comment 5 Fedora Update System 2014-02-25 02:45:01 EST
Package selinux-policy-3.12.1-74.19.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.19.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-3030/selinux-policy-3.12.1-74.19.fc19
then log in and leave karma (feedback).
Comment 6 Fedora Update System 2014-03-15 11:22:07 EDT
selinux-policy-3.12.1-74.19.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.