Description of problem: A recent (Apr 15) update on Fedora 30 broke cockpit's tests for iscsi libvirt storage pools. We are trying to create a libvirt ISCSI pool, but it fails with ISCSI driver not found because SElinux is blocking loading of iscsi_tcp module. Version-Release number of selected component (if applicable): kernel-5.0.7-300.fc30.x86_64 selinux-policy-3.14.3-29.fc30.noarch iscsi-initiator-utils-6.2.0.876-8.gitf3c8e90.fc30.x86_64 How reproducible: Always Steps to Reproduce: 1. Prepare the iSCSI target targetcli /backstores/ramdisk create test 50M targetcli /iscsi create iqn.2019-09.cockpit.lan targetcli /iscsi/iqn.2019-09.cockpit.lan/tpg1/luns create /backstores/ramdisk/test targetcli /iscsi/iqn.2019-09.cockpit.lan/tpg1/acls create $MY_INITIATOR_NAME Where MY_INITIATOR_NAME can be fetched with the following command sed </etc/iscsi/initiatorname.iscsi -e 's/^.*=//' 2. Create a libvirt iscsi pool with the following XML, virsh pool-define path-to-xml-file <pool type='iscsi'> <name>my_iscsi_pool</name> <uuid>80bf2c9b-c7bc-4c6c-a0ef-3a40fe0ad565</uuid> <capacity unit='bytes'>52428800</capacity> <allocation unit='bytes'>52428800</allocation> <available unit='bytes'>0</available> <source> <host name='127.0.0.1' port='3260'/> <device path='iqn.2019-09.cockpit.lan'/> </source> <target> <path>/dev/disk/by-path</path> </target> </pool> 3. Try to start the storage pool with virsh pool-start my_iscsi_pool Actual results: These are the logs from journal: Apr 16 03:11:28 localhost.localdomain systemd[1]: Starting Open-iSCSI... Apr 16 03:11:28 localhost.localdomain iscsid[13280]: iSCSI logger with pid=13281 started! Apr 16 03:11:28 localhost.localdomain systemd[1]: iscsid.service: Failed to parse PID from file /run/iscsid.pid: Invalid argument Apr 16 03:11:28 localhost.localdomain iscsid[13281]: iSCSI daemon with pid=13282 started! Apr 16 03:11:28 localhost.localdomain kernel: Loading iSCSI transport class v2.0-870. Apr 16 03:11:28 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=iscsid comm="systemd" ex> Apr 16 03:11:28 localhost.localdomain systemd[1]: Started Open-iSCSI. Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1130 audit(1555398688.952:496): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='u> Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc: denied { read } for pid=13282 comm="iscsid" name="modules.softdep" dev="dm-0" ino=8480266 scontext=system_u:> Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.971:497): avc: denied { read } for pid=13282 comm="iscsid" name="modules.softdep" dev="dm> Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:498): avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm> Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:> Apr 16 03:11:28 localhost.localdomain libvirtd[1975]: internal error: Child process (iscsiadm --mode node --portal 127.0.0.1:3260,1 --targetname iqn.2019-09.cockpit.lan --l> iscsiadm: initiator reported error (12 - iSCSI driver not found. Please make sure it is loaded, and retry the operatio> iscsiadm: Could not log into all portals Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc: denied { read } for pid=13282 comm="iscsid" name="modules.builtin.bin" dev="dm-0" ino=8480269 scontext=syste> Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:499): avc: denied { read } for pid=13282 comm="iscsid" name="modules.builtin.bin" dev> Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:500): avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm> Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:> Apr 16 03:11:28 localhost.localdomain kernel: audit: type=1400 audit(1555398688.974:501): avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm> Apr 16 03:11:28 localhost.localdomain audit[13282]: AVC avc: denied { read } for pid=13282 comm="iscsid" name="modules.dep.bin" dev="dm-0" ino=8668433 scontext=system_u:> Apr 16 03:11:29 localhost.localdomain iscsid[13281]: Could not insert module tcp. Kmod error -2 Expected results: iscsi_tcp module should be allows to get loaded by iscsid Additional info:
commit ffe9e775edf5a68f80bbbde595a9eba4af156e8f (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Thu Apr 18 13:44:19 2019 +0200 Allow iscsid_t to read modules deps BZ(1700245)
selinux-policy-3.14.3-31.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-3055c546d6
selinux-policy-3.14.3-31.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.