Bug 209854 - selinux policy tweaks for iscsi
selinux policy tweaks for iscsi
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
Blocks: FC6Blocker
  Show dependency treegraph
Reported: 2006-10-06 18:28 EDT by Jeremy Katz
Modified: 2007-11-30 17:11 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-12 12:02:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Test fix for iscsi AVC issues (3.07 KB, patch)
2006-10-10 16:32 EDT, James Antill
no flags Details | Diff
Better fix for iscsi selinux policy (2.91 KB, patch)
2006-10-10 16:48 EDT, James Antill
no flags Details | Diff
iscsi fix with correct .fc types . (2.97 KB, patch)
2006-10-10 18:19 EDT, James Antill
no flags Details | Diff

  None (edit)
Description Jeremy Katz 2006-10-06 18:28:06 EDT
Policy for iscsi needs to allow a few more things --
allow iscsid_t self:netlink_route_socket create;
allow iscsid_t port_t:tcp_socket name_connect;
allow iscsid_t var_lock_t:dir search;
allow iscsid_t self:netlink_socket read;

I expect that writing to netlink sockets is probably also needed, but haven't
hit that yet :-)
Comment 1 Mike Christie 2006-10-06 18:43:54 EDT
Can you send me a link to some good selinux docs?

I think I have been stuck on some selinux iscsi policy bug. Do I need to write
something about what files iscsid or /etc/init.d/iscsi accesses? If I run
without selinx it works but with selinux I get weird errors where the app cannot
read files or access dirs.
Comment 2 Daniel Walsh 2006-10-07 06:37:48 EDT
boot the machine with enforcing=0 and then collect the avc messages that are
generated in /var/log/messages or /var/log/audit/audit.log

Attach them here and I will update the policy.  You can look at
for lots of info on SELinux

Jeremy which port is iscsid trying to connect to?

Comment 3 Jeremy Katz 2006-10-09 10:46:06 EDT
(Adding jantill to the cc list since dwalsh is in New Orleans this week, IIRC)

The default port to connect to is 3260 -- conceivably, there could be others but
I think that falls into the category of "you need to tweak policy yourself" 

More full and annotated set of things being needed when it's not 6 pm on Friday...

allow iscsid_t self:capability dac_override;
  Hrmm, not sure what this is actually for

allow iscsid_t self:netlink_route_socket { bind create getattr nlmsg_read read
write };
allow iscsid_t self:netlink_socket { read write };
  Tool<->kernel communication; definitely needed

allow iscsid_t self:unix_stream_socket connectto;
  Tool<->userspace daemon connection

allow iscsid_t port_t:tcp_socket name_connect;
  Connecting to remote iscsi target on port 3260

allow iscsid_t var_lib_t:dir search;
allow iscsid_t var_lib_t:file { getattr read };
  Uses /var/lib/iscsi for lots of state storage

allow iscsid_t var_lock_t:dir { add_name remove_name search write };
allow iscsid_t var_lock_t:file { create link unlink };
  Lockfile in /var/lock/iscsi.  
Comment 4 James Antill 2006-10-10 16:32:59 EDT
Created attachment 138191 [details]
Test fix for iscsi AVC issues

 I think this should do it. I'll upload srpms soon.
Comment 5 James Antill 2006-10-10 16:48:45 EDT
Created attachment 138193 [details]
Better fix for iscsi selinux policy

 Better fix (actually compiles now :).
 RPMS are at:

Comment 6 Jeremy Katz 2006-10-10 17:49:37 EDT
1:selinux-policy-targeted########################################### [100%]
audit(1160516835.092:34): policy loaded auid=4294967295
libsepol.context_from_record: type iscsi_var_lock_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:iscsi_var_lock_t:s0 to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 714 has invalid
context system_u:object_r:iscsi_var_lock_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
audit(1160516839.316:35): policy loaded auid=4294967295
semodule:  Failed!
Comment 7 James Antill 2006-10-10 18:19:19 EDT
Created attachment 138200 [details]
iscsi fix with correct .fc types .

 Damn. I forgot to change that to iscsi_lock_t for the .fc file.
Comment 8 Jeremy Katz 2006-10-11 11:51:09 EDT
Still missing these two... let's get htem in and build into dist-fc6-HEAD

allow iscsid_t self:capability dac_override;
allow iscsid_t port_t:tcp_socket name_connect;

Comment 9 Jeremy Katz 2006-10-12 12:02:29 EDT
Built and tested.  looks good, thanks!

Note You need to log in before you can comment on or make changes to this bug.