Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 460398

Summary: iscsid needs additional SELinux allow rule for interface binding
Product: Red Hat Enterprise Linux 5 Reporter: Sean E. Millichamp <sean>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.2CC: dwalsh, mkoci, mmalik, vvaldez
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-01-20 21:30:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sean E. Millichamp 2008-08-28 03:08:50 UTC
Description of problem:

iscsiadm, by default, does no specific interface selection.  However, if you ask it to bind to a specific interface (which is needed in certain use cases) it generates an SELinux violation.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-137.1.el5
(also present in Fedora 9's selinux-policy-targeted-3.3.1-84.fc9.noarch)

How reproducible:
Every time.

Steps to Reproduce:
1. Start with a fresh install of iscsi-initiator-utils, SELinux with targetted policy in enforcing mode.
2. iscsiadm -m iface -I iscsi0 -o new
3. iscsiadm -m iface -I iscsi0 -o update -n iface.net_ifacename -v eth0
4. iscsiadm -m discovery -t sendtargets -p my.iscsi.san.ip
5. iscsiadm -m node -I iscsi0 -L all
  
Actual results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
iscsiadm: Could not login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: 
iscsiadm: initiator reported error (4 - encountered connection failure)
iscsiadm: Could not log into all portals. Err 4.

# tail -n1 /var/log/audit/audit.log
type=AVC msg=audit(1219866721.966:27): avc:  denied  { net_raw } for  pid=1576 c
omm="iscsid" capability=13 scontext=system_u:system_r:iscsid_t:s0 tcontext=syste
m_u:system_r:iscsid_t:s0 tclass=capability


Expected results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
Login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: successful

Additional info:

I have compiled the addition SELinux allow permission suggested by audit2allow into a module.  When loaded, it works as expected.  It also works when the iscsid_disable_trans boolean is set to 1, but I'd rather not do that.

I believe that the following should be added to the base iscsid policy:
allow iscsid_t self:capability net_raw;

I have also confirmed that this problem exists in Fedora 9 and appears to be in the upstream SELinux targeted policy.

I looked in the iscsid source code and it isn't clear to me why the net_raw capability is needed, but it clearly has something to do with the interface binding.  When no interfaces are specifically configured or requested the commands work as expected.

Comment 1 Daniel Walsh 2008-08-29 19:38:40 UTC
Fixed in selinux-policy-2.4.6-150.el5

Available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5

Comment 2 RHEL Program Management 2008-08-29 19:51:59 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 6 Vinny Valdez 2008-09-17 19:47:21 UTC
Tested with selinux-policy-2.4.6-158.el5 and it worked.  However, setting iscsid_disable_trans boolean on did not work on RHEL 5.2 with selinux-policy-2.4.6-137.1.el5_2.  Thanks Dan.

Comment 10 errata-xmlrpc 2009-01-20 21:30:30 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html