Policy for iscsi needs to allow a few more things -- allow iscsid_t self:netlink_route_socket create; allow iscsid_t port_t:tcp_socket name_connect; allow iscsid_t var_lock_t:dir search; allow iscsid_t self:netlink_socket read; I expect that writing to netlink sockets is probably also needed, but haven't hit that yet :-)
Can you send me a link to some good selinux docs? I think I have been stuck on some selinux iscsi policy bug. Do I need to write something about what files iscsid or /etc/init.d/iscsi accesses? If I run without selinx it works but with selinux I get weird errors where the app cannot read files or access dirs.
boot the machine with enforcing=0 and then collect the avc messages that are generated in /var/log/messages or /var/log/audit/audit.log Attach them here and I will update the policy. You can look at http://fedoraproject.org/wiki/SELinux for lots of info on SELinux Jeremy which port is iscsid trying to connect to?
(Adding jantill to the cc list since dwalsh is in New Orleans this week, IIRC) The default port to connect to is 3260 -- conceivably, there could be others but I think that falls into the category of "you need to tweak policy yourself" More full and annotated set of things being needed when it's not 6 pm on Friday... allow iscsid_t self:capability dac_override; Hrmm, not sure what this is actually for allow iscsid_t self:netlink_route_socket { bind create getattr nlmsg_read read write }; allow iscsid_t self:netlink_socket { read write }; Tool<->kernel communication; definitely needed allow iscsid_t self:unix_stream_socket connectto; Tool<->userspace daemon connection allow iscsid_t port_t:tcp_socket name_connect; Connecting to remote iscsi target on port 3260 allow iscsid_t var_lib_t:dir search; allow iscsid_t var_lib_t:file { getattr read }; Uses /var/lib/iscsi for lots of state storage allow iscsid_t var_lock_t:dir { add_name remove_name search write }; allow iscsid_t var_lock_t:file { create link unlink }; Lockfile in /var/lock/iscsi.
Created attachment 138191 [details] Test fix for iscsi AVC issues I think this should do it. I'll upload srpms soon.
Created attachment 138193 [details] Better fix for iscsi selinux policy Better fix (actually compiles now :). RPMS are at: http://people.redhat.com/jantill/sel-policy
1:selinux-policy-targeted########################################### [100%] audit(1160516835.092:34): policy loaded auid=4294967295 libsepol.context_from_record: type iscsi_var_lock_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:iscsi_var_lock_t:s0 to sid /etc/selinux/targeted/contexts/files/file_contexts: line 714 has invalid context system_u:object_r:iscsi_var_lock_t:s0 libsemanage.semanage_install_active: setfiles returned error code 1. audit(1160516839.316:35): policy loaded auid=4294967295 semodule: Failed!
Created attachment 138200 [details] iscsi fix with correct .fc types . Damn. I forgot to change that to iscsi_lock_t for the .fc file.
Still missing these two... let's get htem in and build into dist-fc6-HEAD allow iscsid_t self:capability dac_override; allow iscsid_t port_t:tcp_socket name_connect;
Built and tested. looks good, thanks!