Description of problem: The iscsi tools were updated for 5.2, and need a selinux update to go with it. The iscsi tools need access to setrlimit, but the selinux policy is not setup for this so you get this: Feb 17 16:50:34 meanminna setroubleshoot: SELinux is preventing /sbin/iscsid (iscsid_t) "setrlimit" access to <Unknown> (iscsid_t). For complete SELinux messages. run sealert -l fbdf62e8-a4d0-461e-b4ef-1ad32c7a1cf4 And running sealert gives this: [root@meanminna ~]# sealert -l fbdf62e8-a4d0-461e-b4ef-1ad32c7a1cf4 Summary SELinux is preventing /sbin/iscsid (iscsid_t) "setrlimit" access to <Unknown> (iscsid_t). Detailed Description SELinux denied access requested by /sbin/iscsid. It is not expected that this access is required by /sbin/iscsid and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "iscsid_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P iscsid_disable_trans=1." The following command will allow this access: setsebool -P iscsid_disable_trans=1 Additional Information Source Context root:system_r:iscsid_t Target Context root:system_r:iscsid_t Target Objects None [ process ] Affected RPM Packages iscsi-initiator-utils-6.2.0.868-0.3 [application] Policy RPM selinux-policy-2.4.6-104.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.disable_trans Host Name meanminna Platform Linux meanminna 2.6.18-53.el5PAE #1 SMP Wed Oct 10 16:48:18 EDT 2007 i686 athlon Alert Count 1 Line Numbers Raw Audit Messages avc: denied { setrlimit } for comm="iscsid" egid=0 euid=0 exe="/sbin/iscsid" exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3895 scontext=root:system_r:iscsid_t:s0 sgid=0 subj=root:system_r:iscsid_t:s0 suid=0 tclass=process tcontext=root:system_r:iscsid_t:s0 tty=(none) uid=0 I marked this down as a high, because it is a regession from 5.1. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
This is already fixed in the U2 policy selinux-policy-2.4.6-121.el5
(In reply to comment #3) > This is already fixed in the U2 policy > > selinux-policy-2.4.6-121.el5 This works for me. Thanks. Should I just close this bug since it was already fixed?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html