Bug 1266670 - SELinux is preventing iscsid from 'create' accesses on the netlink_iscsi_socket Unknown.
SELinux is preventing iscsid from 'create' accesses on the netlink_iscsi_sock...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
23
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:02161e38e192158f112bddf4f54...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-26 07:11 EDT by Ermanno Scaglione
Modified: 2015-10-12 20:05 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-150.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-12 20:05:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ermanno Scaglione 2015-09-26 07:11:01 EDT
Description of problem:
starting iscsi initiator
SELinux is preventing iscsid from 'create' accesses on the netlink_iscsi_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If si crede che iscsid dovrebbe avere possibilità di accesso create sui Unknown netlink_iscsi_socket in modo predefinito.
Then si dovrebbe riportare il problema come bug.
E' possibile generare un modulo di politica locale per consentire questo accesso.
Do
consentire questo accesso per il momento eseguendo:
# grep iscsid /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:iscsid_t:s0
Target Context                system_u:system_r:iscsid_t:s0
Target Objects                Unknown [ netlink_iscsi_socket ]
Source                        iscsid
Source Path                   iscsid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-147.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.2.1-300.fc23.x86_64 #1 SMP Mon
                              Sep 21 22:13:13 UTC 2015 x86_64 x86_64
Alert Count                   10
First Seen                    2015-09-26 13:05:17 CEST
Last Seen                     2015-09-26 13:07:53 CEST
Local ID                      cbeba51e-a5c4-4256-83d2-54abd98efe1c

Raw Audit Messages
type=AVC msg=audit(1443265673.39:892): avc:  denied  { create } for  pid=1263 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=0


Hash: iscsid,iscsid_t,iscsid_t,netlink_iscsi_socket,create

Version-Release number of selected component:
selinux-policy-3.13.1-147.fc23.noarch

Additional info:
reporter:       libreport-2.6.2
hashmarkername: setroubleshoot
kernel:         4.2.1-300.fc23.x86_64
type:           libreport
Comment 1 Tomasz Torcz 2015-10-06 03:32:04 EDT
Rawhide has the same problem.
Comment 3 Fedora Update System 2015-10-09 10:14:40 EDT
selinux-policy-3.13.1-150.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5
Comment 4 Fedora Update System 2015-10-11 04:25:45 EDT
selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-f4305656a5
Comment 5 Fedora Update System 2015-10-12 20:05:02 EDT
selinux-policy-3.13.1-150.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.