Bug 1706490 - SELinux is preventing iscsid from 'map' accesses
Summary: SELinux is preventing iscsid from 'map' accesses
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1705044
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-05-05 04:56 UTC by Matej Marušák
Modified: 2019-05-21 01:09 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-37.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1705044
Environment:
Last Closed: 2019-05-21 01:09:24 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matej Marušák 2019-05-05 04:56:49 UTC
Description of problem:
SELinux is preventing iscsid from 'map' accesses on Fedora 30, following audit messages appear:

audit: type=1400 audit(1556941643.614:482): avc:  denied  { map } for  pid=7545 comm="iscsid" path="/usr/lib/modules/5.0.10-300.fc30.x86_64/modules.dep.bin" dev="dm-0" ino=12735 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0

I have created the same bug a few days ago for rhel-8-1, see #1705044
This is regression, since the same issue has been reported for F28 in #1553759

Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-32.fc30.noarch
iscsi-initiator-utils-6.2.0.876-8.gitf3c8e90.fc30.x86_64

Comment 1 Zdenek Pytela 2019-05-06 08:12:52 UTC
The permission is in the current policy, not in F30 yet, but should be as well in the next build:

rawhide# sesearch -A -s iscsid_t -t modules_dep_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iscsid_t modules_dep_t:file { getattr ioctl lock map open read };

f30# sesearch -A -s iscsid_t -t modules_dep_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True

It is correct in F28/29 where a different file context is used:
f28# sesearch -A -s iscsid_t -t modules_object_t -c file -p map
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow iscsid_t modules_object_t:file { getattr ioctl lock map open read };

commit e33aa41687d9585e96fb87ac73168055ab4b8b8f
Author: Lukas Vrabec <lvrabec>
Date:   Thu May 2 12:56:50 2019 +0200

    Allow iscsid_t domain to mmap modules_dep_t files

Comment 2 Fedora Update System 2019-05-18 11:03:19 UTC
selinux-policy-3.14.3-37.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d

Comment 3 Fedora Update System 2019-05-19 00:50:51 UTC
selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-40c077f70d

Comment 4 Fedora Update System 2019-05-21 01:09:24 UTC
selinux-policy-3.14.3-37.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.