Bug 1482382 - tgtd.service start failure and avc: denied { create } failure
Summary: tgtd.service start failure and avc: denied { create } failure
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: powerpc
OS: Other
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: PPCTracker
TreeView+ depends on / blocked
 
Reported: 2017-08-17 06:47 UTC by Michel Normand
Modified: 2018-01-14 10:11 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-09-06 09:12:42 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
audit.log (24.28 KB, text/plain)
2017-08-17 06:47 UTC, Michel Normand 		no flags Details
journal.log (1.80 MB, text/x-vhdl)
2017-08-17 06:54 UTC, Michel Normand 		no flags Details
Workaround for tgtd avc denial issue (139 bytes, text/plain)
2018-01-14 10:11 UTC, Stefan Midjich 		no flags Details
View All

Description Michel Normand 2017-08-17 06:47:34 UTC 
Created attachment 1314546 [details]
audit.log

openQA test "support-server" is failing for Rawhide (FC27) for ppc64le arch

The reported failure message is not very helpfull
===
$systemctl restart tgtd.service
Job for tgtd.service failed because the control process exited with error code.
See "systemctl status tgtd.service" and "journalctl -xe" for details
===

I do not know if the cause of the tgtd start failure is the captured avc error
as reported by grep output:
===
$grep -Hnr tgtd ./
Binary file ./var/log/journal/8c561ef33348404ca50122b47f1f4d79/system.journal matches
./var/log/audit/audit.log:137:type=AVC msg=audit(1502889862.910:213): avc:  denied  { create } for  pid=1168 comm="tgtd" name="tgtd" scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=0
./var/log/audit/audit.log:138:type=SERVICE_START msg=audit(1502889867.916:214): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=tgtd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
===
$sudo journalctl -u tgtd --directory var/log/journal/8c561ef33348404ca50122b47f1f4d79/
-- Logs begin at Wed 2017-08-16 09:21:40 EDT, end at Wed 2017-08-16 09:24:49 EDT. --
Aug 16 09:24:22 support.domain.local systemd[1]: Starting tgtd iSCSI target daemon...
Aug 16 09:24:22 support.domain.local tgtd[1168]: (null): ipc_init(781) failed to open lock file for management IPC
Aug 16 09:24:22 support.domain.local systemd[1]: tgtd.service: Main process exited, code=exited, status=1/FAILURE
Aug 16 09:24:27 support.domain.local tgtadm[1170]: tgtadm: failed to send request hdr to tgt daemon, Transport endpoint is not connected
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Control process exited, code=exited status=107
Aug 16 09:24:27 support.domain.local systemd[1]: Failed to start tgtd iSCSI target daemon.
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Unit entered failed state.
Aug 16 09:24:27 support.domain.local systemd[1]: tgtd.service: Failed with result 'exit-code'.
===
Comment 1 Michel Normand 2017-08-17 06:54:52 UTC 
Created attachment 1314548 [details]
journal.log

tgtd service from scsi-target-utils-1.0.70-2.fc26.ppc64le package.
Comment 2 Michel Normand 2017-09-06 09:12:42 UTC 
no more failure with last compose 20170903.
Comment 3 Stefan Midjich 2018-01-14 10:11:16 UTC 
Created attachment 1380941 [details]
Workaround for tgtd avc denial issue

I ran into this issue on F26 after patching and there seems to be no fix available from dnf.

So in case anyone else wants this resolved immediately here is how I did it, with the help of grift in #fedora irc channel on freenode network.

1. Download the file tgtd_bug1482382.cil
2. Run sudo semodule -i tgtd_bug1482382.cil
3. Restart tgtd service
Note You need to log in before you can comment on or make changes to this bug.