Bug 1266928 - iscsid related rule is missing
iscsid related rule is missing
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
All Linux
urgent Severity high
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
: 1267638 (view as bug list)
Depends On:
Blocks: 1172230
  Show dependency treegraph
Reported: 2015-09-28 10:36 EDT by Fabian Deutsch
Modified: 2015-11-19 05:46 EST (History)
10 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-56.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 05:46:45 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
audit.log with avc denials (355.05 KB, text/plain)
2015-09-28 10:46 EDT, Fabian Deutsch
no flags Details

  None (edit)
Description Fabian Deutsch 2015-09-28 10:36:38 EDT
Description of problem:
When using iscsid (iscsi-initiator-utils) on some pre-RHEL 7.2 with selinux-policy-3.13.1-53.el7 I'm getting a denial which needs the following rule to be solved:
allow iscsid_t modules_dep_t:file { read open getattr };

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
We see this on pre-RHEV 3.6 based on pre-RHEL 7.2
We did not see this denial before
Comment 1 Fabian Deutsch 2015-09-28 10:46 EDT
Created attachment 1077945 [details]
audit.log with avc denials
Comment 5 Miroslav Grepl 2015-09-30 04:03:29 EDT
This is cause by #916635 which we need to revert and remove from the errata.
Comment 7 Fredy Neeser 2015-10-01 04:35:55 EDT
(In reply to Miroslav Grepl from comment #5)
> This is cause by #916635 which we need to revert and remove from the errata.

What does #916635 refer to?  I cannot access this bug to see the cause.
Comment 8 Fredy Neeser 2015-10-01 04:37:51 EDT
The present bug seems related to

"SELinux is preventing iscsid from 'read' accesses on the file /usr/lib/modules/4.1.6-200.fc22.x86_64/modules.dep.bin"
Comment 9 Miroslav Grepl 2015-10-01 04:50:51 EDT
We changed labeling for /lib/modules/*/modules.dep* to modules_dep_t but the problem is they are still placed with modules_object_t in some cases.

So we should revert the change back to have modules_object_t as a default label.
Comment 10 Miroslav Grepl 2015-10-01 05:00:11 EDT
Another possible fix would be define all filenametrans rules correctly to get the correct labeling.
Comment 12 Miroslav Grepl 2015-10-02 04:39:43 EDT
*** Bug 1267638 has been marked as a duplicate of this bug. ***
Comment 16 errata-xmlrpc 2015-11-19 05:46:45 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.