Description of problem: After updating to 4.1.6-200.fc22.x86_64 iscsi.service will not start and thus no iscsi volume will mount. SELinux is preventing iscsid from 'read' accesses on the file /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iscsid should be allowed read access on the modules.dep.bin file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iscsid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:iscsid_t:s0 Target Context unconfined_u:object_r:modules_dep_t:s0 Target Objects /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep .bin [ file ] Source iscsid Source Path iscsid Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-128.12.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.1.6-200.fc22.x86_64 #1 SMP Mon Aug 17 19:54:31 UTC 2015 x86_64 x86_64 Alert Count 5 First Seen 2015-08-30 12:38:10 AWST Last Seen 2015-08-30 15:30:53 AWST Local ID 0be9475c-165c-4c20-bf91-27ddd8d5675d Raw Audit Messages type=AVC msg=audit(1440919853.461:678): avc: denied { read } for pid=1692 comm="iscsid" name="modules.dep.bin" dev="sdc4" ino=397616 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Hash: iscsid,iscsid_t,modules_dep_t,file,read Version-Release number of selected component: selinux-policy-3.13.1-128.12.fc22.noarch Additional info: reporter: libreport-2.6.2 hashmarkername: setroubleshoot kernel: 4.1.6-200.fc22.x86_64 type: libreport
It not the update to the latest kernel as I rebooted into the previous and its still broken.
This fixes it for me for now: module iscsi_fix 1.0; require { type iscsid_t; type modules_dep_t; class file { read getattr open }; } #============= iscsid_t ============== allow iscsid_t modules_dep_t:file getattr; #!!!! This avc is allowed in the current policy allow iscsid_t modules_dep_t:file { read open };
Have you tried a selinux relabel. Your comment (comment 2) seems to lend to the selinux tags NOT being natively label properly. What was the previous kernel 4.1.5 or something previous to that ? (Updated from Version / kernel not shown).
I did a "restorecon -Rv /lib/modules" on the folder and there was no output. [root@bajor 4.1.6-200.fc22.x86_64]# ls -Z modules.dep.bin unconfined_u:object_r:modules_dep_t:s0 modules.dep.bin I'm not sure it was the kernel, I just had a look at the logs and selinux policy was updated could it be an issue with this: For the dnf.log: Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.10.fc22 will be upgraded Aug 30 12:32:26 DEBUG ---> Package selinux-policy.noarch 3.13.1-128.12.fc22 will be an upgrade Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.10.fc22 will be upgraded Aug 30 12:32:26 DEBUG ---> Package selinux-policy-targeted.noarch 3.13.1-128.12.fc22 will be an upgrade
Same issue here with iscsi initiator (iscsid) no longer working due to SELinux AVCs. The SELinux AVCs for iscsid started appearing in the Aug./Sept. 2015 time frame. Using the following command I noted that the selinux default security contexts for certain files in /usr/lib/modules were changed recently: # restorecon -nrv /usr/lib/modules restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 OK ... so I had to fix these labels as follows: # restorecon -rv /usr/lib/modules restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.softdep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.builtin.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.dep.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.alias.bin context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.devname context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 restorecon reset /usr/lib/modules/4.0.8-300.fc22.x86_64/modules.symbols context system_u:object_r:modules_object_t:s0->system_u:object_r:modules_dep_t:s0 This did the job, because 'restorecon -nrv' no longer generated any output after this: # restorecon -nrv /usr/lib/modules
The above did not resolve the AVC denials to iscsid. Symptoms included: audit[1612]: <audit-1400> avc: denied { read } for pid=1612 comm="iscsid" name="modules.softdep" dev="dm-2" ino=3025080 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 audit[1612]: <audit-1300> arch=c000003e syscall=2 success=no exit=-13 a0=7ffe04b980a0 a1=80000 a2=7ffe04b980d2 a3=5f3638782e323263 items=0 ppid=1 pid=1612 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null) iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation) iscsid[1611]: Could not insert module tcp. Kmod error -38 SELinux suggests the following, along with similar suggestions for other files in /usr/lib/modules: python[1624]: SELinux is preventing /usr/sbin/iscsid from read access on the file /usr/lib/modules/4.1.3-201.fc22.x86_64/modules.softdep. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that iscsid should be allowed read access on the modules.softdep file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep iscsid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp ===> OK, I'll try this next ...
The selinux suggestions do not explain that one may need multiple iterations to create a local policy module for fixing the AVCs generated by iscsid. After doing a first iteration that allows a certain access, iscsid may do other things that trigger different AVCs ... So we need to iteratively create/install/test a local policy module 'iscsi-fix' by repeating # grep iscsid /var/log/audit/audit.log | audit2allow -M iscsi-fix # semodule -r iscsi-fix # semodule -i iscsi-fix.pp % Should probably restart iscsid.service # systemctl restart iscsid.service % Retest iscsid ... until iscsid no longer generates any AVC denials. This procedure keeps updating two files in the work directory, namely iscsi-fix.pp iscsi-fix.te Note that directly installing (or upgrading) the updated iscsi-fix did not work, but it was possible to remove and then reinstall the local policy module. With the above iterative approach, I ended up with an iscsi-fix.te as shown below (equivalent to the one in Comment 2): module iscsi-fix 1.0; require { type iscsid_t; type modules_dep_t; class file { read getattr open }; } #============= iscsid_t ============== allow iscsid_t modules_dep_t:file getattr; #!!!! This avc is allowed in the current policy allow iscsid_t modules_dep_t:file { read open };
After applying the steps in Comment 7 and rebooting, the journal no longer shows any of the previous errors: - SELinux access denials (avc: denied ...) for iscsid - iscsiadm[1607]: iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operation) - iscsid[1611]: Could not insert module tcp. Kmod error -38 - setroubleshoot messages for iscsid
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.