1121376 – selinux deny iscsiadm when running storage with xtremio as backend

Bug 1121376 - selinux deny iscsiadm when running storage with xtremio as backend

Summary: selinux deny iscsiadm when running storage with xtremio as backend

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-selinux
Sub Component:
Version:	5.0 (RHEL 7)
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	5.0 (RHEL 7)
Assignee:	Ryan Hallisey
QA Contact:	Ami Jeain
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-07-20 07:21 UTC by bkopilov
Modified:	2014-09-08 05:44 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-07-20 08:05:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
audit.log file attached (1.25 MB, text/plain) 2014-07-20 07:21 UTC, bkopilov	no flags	Details
View All

Description bkopilov 2014-07-20 07:21:01 UTC

Created attachment 919327 [details]
audit.log file attached

Description of problem:
selinux deny : 

SELinux is preventing /usr/sbin/iscsiadm from search access on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that iscsiadm should be allowed search access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep iscsiadm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:iscsid_t:s0
Target Context                system_u:object_r:virt_lock_t:s0
Target Objects                 [ dir ]
Source                        iscsiadm
Source Path                   /usr/sbin/iscsiadm
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7_0.10.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     test8938
Platform                      Linux test8938 3.10.0-123.el7.x86_64 #1 SMP Mon
                              May 5 11:16:57 EDT 2014 x86_64 x86_64
Alert Count                   5
First Seen                    2014-07-20 08:10:02 IDT
Last Seen                     2014-07-20 08:51:43 IDT
Local ID                      72f2e9e4-65a9-4f10-9350-2e14774077fd

Raw Audit Messages
type=AVC msg=audit(1405835503.897:25695): avc:  denied  { search } for  pid=12214 comm="iscsiadm" name="iscsi" dev="tmpfs" ino=375334 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:virt_lock_t:s0 tclass=dir


type=SYSCALL msg=audit(1405835503.897:25695): arch=x86_64 syscall=open success=no exit=EACCES a0=7f4c583bf41d a1=42 a2=1b6 a3=0 items=0 ppid=12213 pid=12214 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=iscsiadm exe=/usr/sbin/iscsiadm subj=system_u:system_r:iscsid_t:s0 key=(null)

Hash: iscsiadm,iscsid_t,virt_lock_t,dir,search



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. prepare setup for automation with xtremio backend
2. run tempest tests


Actual results:


Expected results:


Additional info:

Note You need to log in before you can comment on or make changes to this bug.