Bug 300741 - RHEL 5 SELinux errors with iscsid during iSCSI target exception test
RHEL 5 SELinux errors with iscsid during iSCSI target exception test
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-21 12:26 EDT by khtan
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-26 11:39:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux conf file (448 bytes, text/plain)
2007-09-21 12:26 EDT, khtan
no flags Details

  None (edit)
Description khtan 2007-09-21 12:26:17 EDT
Description of problem:
Unexpected SELinux error message during iSCSI target exception testing:

"
Aug 29 11:27:55 srv01 setroubleshoot:      SELinux is preventing iscsid
(iscsid_t) "read" access to meminfo (proc_t).      For complete SELinux
messages. run sealert -l 43cf1922-eedd-4526-ac77-cc41a920f67b
"

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-30.el5
selinux-policy-targeted-2.4.6.30.el5

How reproducible:
Often

Steps to Reproduce:
Started with iSCSI system with 2 Bulldog controllers, and configured with two
iSCSI ssid connection "sessions:

1) Created 4 RAID0 disk groups

2) Assigned them to qty-2 iSidewinder controllers (Bulldog).  Assigned 2 groups
each to controller 0 and to controller 1.

3) Ran heavy IO (using command "iogen -n10 -b512k -d sdb" for instance to run
exerciser on virtual disk SDB.  Ran heavy IO using same command on all 4 virtual
disks.

4)Used Rossini to take controller 1 offline, then pulled controller 1 out of
slot in 
enclosure

5)Verified that I/O resumed on fail-over path and controller 1 marked offline.

6)Replaced controller into system put controller 1 back online via Rossini,
looked at recovery Guru, and "virtual disk not on preferred path" error
persisted even though both controllers were in system.

7) Looked at the "view/end iscsi sessions" entry under the iSCSI tab.  Though
originally there were two instances of connections (i.e. two unique SSIDs for 
connection, temporarily only one was evident.  Eventually, the second connection
showed back up in this view.

8) Showed to Rob, who looked for instances of missing connection in
/var/log/messages file (attached "messages" file)...which he noted evidence of
missing connection.
 
Actual results:


Expected results:


Additional info:
Is iscsid killed when you see the selinux errors and does the session evetually
come back?
I don't know whether iSCSId was killed when I had the selinux errors
(unfortunately didn't note the daemons at the time, and don't have this error on
the system anymore)...sorry I can't answer this now, I don't know.  The session
just seemed to come back on its own after awhile after disappearing

Could you also just tell me how you started the iscsi service?

I wrote a script to find the targets to start the issi service, but at that
time, I was manually going through and finding thepotential targets by first doing:

iscisadm --mode discovery --type sendtargets --portal 192.168.100.10
(which generates a list of potential targets)
then do

iscsiadm --mode node --targetname<target> --portal 192.168.103.10 --login 
iscsiadm --mode node --targetname<target> --portal 192.168.103.11--login
iscsiadm --mode node --targetname<target> --portal 192.168.104.12--login
iscsiadm --mode node --targetname<target> --portal 192.168.104.13--login
 
where <target> is list of potential targets from discovery command above
Comment 1 khtan 2007-09-21 12:26:17 EDT
Created attachment 202551 [details]
SELinux conf file
Comment 2 Daniel Walsh 2007-09-21 14:37:39 EDT
Please attach /var/log/audit/audit.log
Comment 3 Daniel Walsh 2007-09-21 14:52:55 EDT
Also could you put the machine in permissive mode and grab all of the iscsi
avc's when it starts.

Comment 4 RHEL Product and Program Management 2007-10-15 23:38:50 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Daniel Walsh 2007-11-26 11:39:42 EST
Without further input there is nothing I can do to fix this problem.

Note You need to log in before you can comment on or make changes to this bug.