Description of problem: * tgtd triggers SELinux denials when accessing infiniband devices Version-Release number of selected component (if applicable): selinux-policy-3.14.3-45.fc30.noarch selinux-policy-targeted-3.14.3-45.fc30.noarch iscsi-initiator-utils-6.2.0.876-8.gitf3c8e90.fc30.x86_64 scsi-target-utils-1.0.70-8.fc30.x86_64 How reproducible: * always Steps to Reproduce: 1. get a Fedora 30 machine (targeted policy is active) which has some infiniband devices attached 2. configure tgtd and iscsid so that they cooperate on 1 machine 3. # iscsiadm --mode node --portal <ip-address> --login 4. # iscsiadm --mode node --portal <ip-address> --logout Actual results: ---- type=PROCTITLE msg=audit(09/20/2019 14:50:51.138:2547) : proctitle=/usr/sbin/tgtd -f type=PATH msg=audit(09/20/2019 14:50:51.138:2547) : item=0 name=/dev/infiniband/uverbs0 inode=4591 dev=00:06 mode=character,666 ouid=root ogid=root rdev=e7:c0 obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/20/2019 14:50:51.138:2547) : cwd=/ type=SYSCALL msg=audit(09/20/2019 14:50:51.138:2547) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x2177500 a1=0x7fff410df3a0 a2=0x7fff410df3a0 a3=0x0 items=1 ppid=1 pid=41306 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tgtd exe=/usr/sbin/tgtd subj=system_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(09/20/2019 14:50:51.138:2547) : avc: denied { getattr } for pid=41306 comm=tgtd path=/dev/infiniband/uverbs0 dev="devtmpfs" ino=4591 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=0 ---- type=PROCTITLE msg=audit(09/20/2019 14:50:51.138:2548) : proctitle=/usr/sbin/tgtd -f type=PATH msg=audit(09/20/2019 14:50:51.138:2548) : item=0 name=/dev/infiniband/uverbs1 inode=4592 dev=00:06 mode=character,666 ouid=root ogid=root rdev=e7:c1 obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(09/20/2019 14:50:51.138:2548) : cwd=/ type=SYSCALL msg=audit(09/20/2019 14:50:51.138:2548) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x2177500 a1=0x7fff410df3a0 a2=0x7fff410df3a0 a3=0x217f710 items=1 ppid=1 pid=41306 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tgtd exe=/usr/sbin/tgtd subj=system_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(09/20/2019 14:50:51.138:2548) : avc: denied { getattr } for pid=41306 comm=tgtd path=/dev/infiniband/uverbs1 dev="devtmpfs" ino=4592 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=0 ---- Expected results: * no SELinux denials
Please, I need info about denials when you run SELinux in permissive mode. Thanks, Patrik
Unable to reproduce it. Patrik
Caught in enforcing mode: ---- type=PROCTITLE msg=audit(04/30/2021 07:15:43.862:259) : proctitle=/usr/sbin/tgtd -f type=PATH msg=audit(04/30/2021 07:15:43.862:259) : item=0 name=/dev/infiniband/uverbs2 inode=500 dev=00:05 mode=character,666 ouid=root ogid=root rdev=e7:c2 obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/30/2021 07:15:43.862:259) : cwd=/ type=SYSCALL msg=audit(04/30/2021 07:15:43.862:259) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0xf04c70 a2=0x7ffe74f19da0 a3=0x0 items=1 ppid=1 pid=42630 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tgtd exe=/usr/sbin/tgtd subj=system_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(04/30/2021 07:15:43.862:259) : avc: denied { getattr } for pid=42630 comm=tgtd path=/dev/infiniband/uverbs2 dev="devtmpfs" ino=500 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=0 ---- Caught in permissive mode: ---- type=PROCTITLE msg=audit(04/30/2021 07:17:17.892:272) : proctitle=/usr/sbin/tgtd -f type=PATH msg=audit(04/30/2021 07:17:17.892:272) : item=0 name=/dev/infiniband/uverbs2 inode=500 dev=00:05 mode=character,666 ouid=root ogid=root rdev=e7:c2 obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/30/2021 07:17:17.892:272) : cwd=/ type=SYSCALL msg=audit(04/30/2021 07:17:17.892:272) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=0xffffff9c a1=0x1afdb00 a2=0x7ffc1c274d80 a3=0x0 items=1 ppid=1 pid=57646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tgtd exe=/usr/sbin/tgtd subj=system_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(04/30/2021 07:17:17.892:272) : avc: denied { getattr } for pid=57646 comm=tgtd path=/dev/infiniband/uverbs2 dev="devtmpfs" ino=500 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=1 ---- type=PROCTITLE msg=audit(04/30/2021 07:17:17.956:273) : proctitle=/usr/sbin/tgtd -f type=PATH msg=audit(04/30/2021 07:17:17.956:273) : item=0 name=/dev/infiniband/rdma_cm inode=547 dev=00:05 mode=character,666 ouid=root ogid=root rdev=0a:7d obj=system_u:object_r:infiniband_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/30/2021 07:17:17.956:273) : cwd=/ type=SYSCALL msg=audit(04/30/2021 07:17:17.956:273) : arch=x86_64 syscall=openat success=yes exit=6 a0=0xffffff9c a1=0x1afee40 a2=O_RDWR|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=57646 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=tgtd exe=/usr/sbin/tgtd subj=system_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(04/30/2021 07:17:17.956:273) : avc: denied { open } for pid=57646 comm=tgtd path=/dev/infiniband/rdma_cm dev="devtmpfs" ino=547 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(04/30/2021 07:17:17.956:273) : avc: denied { read write } for pid=57646 comm=tgtd name=rdma_cm dev="devtmpfs" ino=547 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:infiniband_device_t:s0 tclass=chr_file permissive=1 ----
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/737
FEDORA-2021-ec18a84d86 has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-ec18a84d86` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-ec18a84d86 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-ec18a84d86 has been pushed to the Fedora 34 stable repository. If problem still persists, please make note of it in this bug report.