RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1424621 - Selinux is preventing targetd from running
Summary: Selinux is preventing targetd from running
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: 7.4
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1381083 1486259
TreeView+ depends on / blocked
 
Reported: 2017-02-17 20:29 UTC by Tony Asleson
Modified: 2018-04-10 12:26 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.13.1-171.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1486259 (view as bug list)
Environment:
Last Closed: 2018-04-10 12:26:56 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
journal logs when running the system in permissive mode (15.50 KB, text/plain)
2017-02-17 20:29 UTC, Tony Asleson 		no flags Details
Information as requested (156.53 KB, text/plain)
2017-02-20 20:30 UTC, Tony Asleson 		no flags Details
Autogenerated from audit2allow for exportfs (640 bytes, text/plain)
2017-04-27 20:04 UTC, Tony Asleson 		no flags Details
Autogenerated from audit2allow for targetd (2.68 KB, text/plain)
2017-04-27 20:04 UTC, Tony Asleson 		no flags Details
SELinux denials in the raw form (56.77 KB, text/x-vhdl)
2017-05-01 17:48 UTC, Tony Asleson 		no flags Details
Latest SELinux denials (24.69 KB, text/plain)
2017-06-21 19:19 UTC, Tony Asleson 		no flags Details
Raw denials with btrfs mounted to /mnt/targetd_fs (10.39 KB, text/plain)
2017-06-26 16:33 UTC, Tony Asleson 		no flags Details
Show Obsolete (6) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0763 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2018-04-10 12:08:10 UTC

Description Tony Asleson 2017-02-17 20:29:09 UTC 
Created attachment 1255071 [details]
journal logs when running the system in permissive mode

Description of problem:

New package targetd-0.8.5-1.el7 has been built.  When attempting to run with selinux in enforcing mode the daemon will start, but it fails to run correctly.  When in permissive mode a number of errors gets reported.

The targetd service mucks with many different things, I've attached the output from the journal.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102

How reproducible:
100%

Steps to Reproduce:
1. install rpm
2. systemctl start targetd
3. exercise daemon

Actual results:
Some operations fail to work

Expected results:
Daemon works as designed


Additional info:
Comment 1 Tony Asleson 2017-02-17 20:31:07 UTC 
ref. bug 1423018
Comment 3 Milos Malik 2017-02-20 06:07:20 UTC 
We need to see SELinux denials in the raw form. Could you attach the output of following command?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thanks.
Comment 5 Tony Asleson 2017-02-20 20:30:36 UTC 
Created attachment 1255867 [details]
Information as requested
Comment 7 Milos Malik 2017-04-24 15:08:51 UTC 
Here is the ausearch output (see comment#5) processed by audit2allow:

#============= targetd_t ==============

#!!!! This avc is allowed in the current policy
allow targetd_t bin_t:file { execute execute_no_trans };
allow targetd_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write };
allow targetd_t configfs_t:file { getattr open read write };
allow targetd_t configfs_t:lnk_file { create getattr read unlink };

#!!!! WARNING: 'default_t' is a base type.
allow targetd_t default_t:dir { ioctl read };
allow targetd_t exports_t:file { getattr open read };
allow targetd_t fixed_disk_device_t:blk_file write;
allow targetd_t fs_t:filesystem getattr;
allow targetd_t insmod_exec_t:file getattr;
allow targetd_t kernel_t:system ipc_info;

#!!!! This avc can be allowed using the boolean 'domain_kernel_load_modules'
allow targetd_t kernel_t:system module_request;
allow targetd_t lvm_metadata_t:dir { add_name read remove_name write };
allow targetd_t lvm_metadata_t:file { append create link rename unlink };
allow targetd_t lvm_var_run_t:fifo_file { getattr lock open read write };
allow targetd_t modules_conf_t:dir { getattr open read };
allow targetd_t modules_conf_t:file { getattr open read };
allow targetd_t modules_object_t:dir search;
allow targetd_t modules_object_t:file { getattr open read };
allow targetd_t nfsd_fs_t:file { open read };

#!!!! This avc is allowed in the current policy
allow targetd_t self:capability sys_admin;
allow targetd_t self:capability { ipc_lock sys_nice };
allow targetd_t self:process setsched;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow targetd_t self:tcp_socket accept;
allow targetd_t sysctl_rpc_t:dir search;
allow targetd_t sysctl_rpc_t:file { open read write };
allow targetd_t sysfs_t:file write;

#!!!! WARNING: 'unlabeled_t' is a base type.
allow targetd_t unlabeled_t:dir { ioctl read write };
allow targetd_t var_lib_nfs_t:dir { add_name remove_name write };
allow targetd_t var_lib_nfs_t:file { create getattr lock open read rename unlink write };

Above-mentioned output was generated on a machine where:

# rpm -qa selinux-policy\*
selinux-policy-targeted-3.13.1-144.el7.noarch
selinux-policy-devel-3.13.1-144.el7.noarch
selinux-policy-3.13.1-144.el7.noarch
#
Comment 8 Vit Mojzis 2017-04-26 14:53:17 UTC 
Thank you for the AVC's, however it seems that your system has been running with disabled SELinux for some time and your security policy is outdated.

To get more accurate set of selinux denials please update selinux-policy-targeted package, run 
#restorecon -Rv /
to fix labels in your filesystem and re-run your use cases with SELinux in permissive mode.

Also it would be appreciated if you could go thorough the rules generated by audit2allow and make sure that all the access attempts make sense. Feel free to contact me if the meaning of the rules is unclear.
Comment 9 Tony Asleson 2017-04-27 20:02:50 UTC 
I've updated to policy files *.144.el7.noarch and run # restorecon -Rv /.  After doing this I ran some unit tests against targetd and got numerous errors.  Running audit2allow on the latest errors and loading those rules gets me runs without errors except for those associated with exportfs and btrfs commands which are executed in the targetd daemon.  I'll attach the te files generated by audit2allow for targetd and exportfs.

The final errors I'm getting with btrfs are likely a labeling issue.  Basically targetd allows you to take a btrfs and carve up sub volumes and take snapshots over the API.  When doing so SELinux is logging errors like:

SELinux is preventing /usr/sbin/btrfs from ioctl access on the directory /testing/targetd_ss/HRYV_fs_WXTR

Please note that the base btrfs directory is controllable by the user in the targetd config file, thus it could potentially be anywhere.

Please advise what the suggested context for a directory should be to create btrfs sub volumes and snapshots.
Comment 10 Tony Asleson 2017-04-27 20:04:04 UTC 
Created attachment 1274786 [details]
Autogenerated from audit2allow for exportfs
Comment 11 Tony Asleson 2017-04-27 20:04:40 UTC 
Created attachment 1274787 [details]
Autogenerated from audit2allow for targetd
Comment 12 Lukas Vrabec 2017-04-28 18:25:09 UTC 
Could you attach raw AVC msgs? 

Thanks, 
Lukas.
Comment 13 Tony Asleson 2017-05-01 17:48:25 UTC 
Created attachment 1275455 [details]
SELinux denials in the raw form

Collected with:

ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 14 Tony Asleson 2017-05-01 17:51:09 UTC 
I created a new 7.4 VM using the latest which includes:

selinux-policy-targeted-3.13.1-145.el7.noarch
selinux-policy-3.13.1-145.el7.noarch

to collect the latest selinux denials.
Comment 28 Milos Malik 2017-06-21 13:03:54 UTC 
Could you re-run your scenario after installing the latest selinux-policy (3.13.1-164.el7)? Our automated TC indicates that following rules are missing but they might not be actually needed:

allow targetd_t insmod_exec_t : file { getattr };
allow targetd_t default_t : dir { ioctl read };
allow targetd_t lvm_var_run_t : fifo_file { open };
Comment 29 Tony Asleson 2017-06-21 19:18:31 UTC 
Things improving, but I'm still getting denials.  I spun up a new VM with nightly build which includes: 

selinux-policy-3.13.1-164.el7.noarch
selinux-policy-targeted-3.13.1-164.el7.noarch

I've attached the raw logs from this latest run.

The targetd daemon needs to be able to run the following commands:

btrfs
exportfs

I asked in comment #9 what the appropriate label should be for a mounted btrfs file system that the targetd service can run btrfs operations on, but didn't get a response to that.  I tried a couple different labels, but they all appeared to suffer the same fate of failed ioctls.
Comment 30 Tony Asleson 2017-06-21 19:19:17 UTC 
Created attachment 1290299 [details]
Latest SELinux denials
Comment 31 Milos Malik 2017-06-22 13:02:48 UTC 
Switching to ASSIGNED based on SELinux denials attached in comment#30.
Comment 42 Tony Asleson 2017-06-26 16:33:53 UTC 
Created attachment 1292019 [details]
Raw denials with btrfs mounted to /mnt/targetd_fs
Comment 49 errata-xmlrpc 2018-04-10 12:26:56 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0763
Note You need to log in before you can comment on or make changes to this bug.