This prevents targetd plugin from working. [root@localhost log]# sealert -l 4c68fbd5-ab47-476c-a175-cd6fde302166 SELinux is preventing /usr/bin/python2.7 from create access on the tcp_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed create access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep python /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:lsmd_plugin_t:s0 Target Context system_u:system_r:lsmd_plugin_t:s0 Target Objects [ tcp_socket ] Source python Source Path /usr/bin/python2.7 Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7.5-11.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-122.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.13.3-201.fc20.x86_64 #1 SMP Fri Feb 14 19:08:32 UTC 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-02-24 11:41:56 PST Last Seen 2014-02-24 11:52:33 PST Local ID 4c68fbd5-ab47-476c-a175-cd6fde302166 Raw Audit Messages type=AVC msg=audit(1393271553.830:425): avc: denied { create } for pid=1645 comm="python" scontext=system_u:system_r:lsmd_plugin_t:s0 tcontext=system_u:system_r:lsmd_plugin_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1393271553.830:425): arch=x86_64 syscall=socket success=no exit=EACCES a0=2 a1=1 a2=6 a3=1 items=0 ppid=1643 pid=1645 auid=4294967295 uid=994 gid=990 euid=994 suid=994 fsuid=994 egid=990 sgid=990 fsgid=990 ses=4294967295 tty=(none) comm=python exe=/usr/bin/python2.7 subj=system_u:system_r:lsmd_plugin_t:s0 key=(null) Hash: python,lsmd_plugin_t,lsmd_plugin_t,tcp_socket,create
Could you run this in permissive mode to catch more avcs semanage permissive -a lsmd_plugin_t
Created attachment 867155 [details] Requested information
Do you know what is listening at tcp port 18700?
(In reply to Daniel Walsh from comment #3) > Do you know what is listening at tcp port 18700? In this specific case the libStorageMgmt targetd plug-in (/usr/bin/targetd_lsmplugin) is connecting to a remote system which is running the targetd storage daemon. The port number can be configured by end users, so that may change. Some background which may help with creating policy. The daemon lsmd execs the plug-in. The plug-in needs network access and all that entails to connect to the external storage arrays over the network. The current targeted selinux policy allows the plug-in to create a socket if it is executed via the command line, but rejects it when executed via lsmd. Please note that plug-ins can be written in C or python at this time and will connect to a number of different listening ports, each of which is modifiable by the end user.
Is that the default port
(In reply to Daniel Walsh from comment #5) > Is that the default port For targetd plug-in yes. For other plugins, default ports: libstoragemgmt-ontap-plugin (80/443) libstoragemgmt-smis-plugin (5988/5989) libstoragemgmt-nstor-plugin (80/443) libstoragemgmt-ibm-v7k-plugin (22) But like I stated, the user can change.
I believe we want to add a boolean for lsmd plugins.
commit 4c57934448663d99368d0e1616c6f0c4849ed550 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 25 15:16:49 2014 +0100 Add lsmd_plugin_connect_any boolean
Also added commit 7ac723de65080bbbc0f2b125844fc2f46b50e764 Author: Miroslav Grepl <mgrepl> Date: Tue Feb 25 15:19:00 2014 +0100 Allow lsmd plugins to connect to http/ssh/http_caccommit
selinux-policy-3.12.1-127.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20
Package selinux-policy-3.12.1-127.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-127.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-2801/selinux-policy-3.12.1-127.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-127.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.