205332 – iscsi tools need selinux policy

Bug 205332 - iscsi tools need selinux policy

Summary: iscsi tools need selinux policy

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	iscsi-initiator-utils
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Mike Christie
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC6Blocker
TreeView+	depends on / blocked

Reported:	2006-09-06 04:06 UTC by Jeremy Katz
Modified:	2012-06-26 16:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-09 20:57:37 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Initial policy for iscsi (6.92 KB, application/x-compressed-tar) 2006-09-25 18:50 UTC, Daniel Walsh	no flags	Details
View All

Description Jeremy Katz 2006-09-06 04:06:56 UTC

We need to have some basic amount of SELinux policy around the iscsi tools so
that the tools get transitioned into domains that can connect to the sockets,
read the config files, etc when invoked by mkinitrd with root on iscsi.

At this point, probably not going to happen for test3, but we should try to get
it in right after

Comment 1 Daniel Walsh 2006-09-25 18:50:53 UTC

Created attachment 137080 [details]
Initial policy for iscsi

If you untar this tgz and execute the following commands you can install the
policy

tar zxvf /tmp/iscsi.tgz
semodule -i iscsid.pp
restorecon /sbin/iscsid /var/run/iscsid.pid 
setenforce 0
service iscsi restart

BTW iscsid.pid should be in /var/run not /etc/iscsi  Please change.
Run your tests.  Collect avcs and send them to me.

Comment 2 Jeremy Katz 2006-09-27 17:24:49 UTC

This is in now -- I'll try to do some testing with it to see where the holes are
later

Note You need to log in before you can comment on or make changes to this bug.