Bug 460398
| Summary: | iscsid needs additional SELinux allow rule for interface binding | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Sean E. Millichamp <sean> |
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.2 | CC: | dwalsh, mkoci, mmalik, vvaldez |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-01-20 21:30:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Fixed in selinux-policy-2.4.6-150.el5 Available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5 This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Tested with selinux-policy-2.4.6-158.el5 and it worked. However, setting iscsid_disable_trans boolean on did not work on RHEL 5.2 with selinux-policy-2.4.6-137.1.el5_2. Thanks Dan. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html |
Description of problem: iscsiadm, by default, does no specific interface selection. However, if you ask it to bind to a specific interface (which is needed in certain use cases) it generates an SELinux violation. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-137.1.el5 (also present in Fedora 9's selinux-policy-targeted-3.3.1-84.fc9.noarch) How reproducible: Every time. Steps to Reproduce: 1. Start with a fresh install of iscsi-initiator-utils, SELinux with targetted policy in enforcing mode. 2. iscsiadm -m iface -I iscsi0 -o new 3. iscsiadm -m iface -I iscsi0 -o update -n iface.net_ifacename -v eth0 4. iscsiadm -m discovery -t sendtargets -p my.iscsi.san.ip 5. iscsiadm -m node -I iscsi0 -L all Actual results: # iscsiadm -m node -I iscsi0 -L all Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260] iscsiadm: Could not login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: iscsiadm: initiator reported error (4 - encountered connection failure) iscsiadm: Could not log into all portals. Err 4. # tail -n1 /var/log/audit/audit.log type=AVC msg=audit(1219866721.966:27): avc: denied { net_raw } for pid=1576 c omm="iscsid" capability=13 scontext=system_u:system_r:iscsid_t:s0 tcontext=syste m_u:system_r:iscsid_t:s0 tclass=capability Expected results: # iscsiadm -m node -I iscsi0 -L all Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260] Login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: successful Additional info: I have compiled the addition SELinux allow permission suggested by audit2allow into a module. When loaded, it works as expected. It also works when the iscsid_disable_trans boolean is set to 1, but I'd rather not do that. I believe that the following should be added to the base iscsid policy: allow iscsid_t self:capability net_raw; I have also confirmed that this problem exists in Fedora 9 and appears to be in the upstream SELinux targeted policy. I looked in the iscsid source code and it isn't clear to me why the net_raw capability is needed, but it clearly has something to do with the interface binding. When no interfaces are specifically configured or requested the commands work as expected.