This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 460398 - iscsid needs additional SELinux allow rule for interface binding
iscsid needs additional SELinux allow rule for interface binding
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.2
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-08-27 23:08 EDT by Sean E. Millichamp
Modified: 2015-02-18 12:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:30:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Sean E. Millichamp 2008-08-27 23:08:50 EDT
Description of problem:

iscsiadm, by default, does no specific interface selection.  However, if you ask it to bind to a specific interface (which is needed in certain use cases) it generates an SELinux violation.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-137.1.el5
(also present in Fedora 9's selinux-policy-targeted-3.3.1-84.fc9.noarch)

How reproducible:
Every time.

Steps to Reproduce:
1. Start with a fresh install of iscsi-initiator-utils, SELinux with targetted policy in enforcing mode.
2. iscsiadm -m iface -I iscsi0 -o new
3. iscsiadm -m iface -I iscsi0 -o update -n iface.net_ifacename -v eth0
4. iscsiadm -m discovery -t sendtargets -p my.iscsi.san.ip
5. iscsiadm -m node -I iscsi0 -L all
  
Actual results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
iscsiadm: Could not login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: 
iscsiadm: initiator reported error (4 - encountered connection failure)
iscsiadm: Could not log into all portals. Err 4.

# tail -n1 /var/log/audit/audit.log
type=AVC msg=audit(1219866721.966:27): avc:  denied  { net_raw } for  pid=1576 c
omm="iscsid" capability=13 scontext=system_u:system_r:iscsid_t:s0 tcontext=syste
m_u:system_r:iscsid_t:s0 tclass=capability


Expected results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
Login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: successful

Additional info:

I have compiled the addition SELinux allow permission suggested by audit2allow into a module.  When loaded, it works as expected.  It also works when the iscsid_disable_trans boolean is set to 1, but I'd rather not do that.

I believe that the following should be added to the base iscsid policy:
allow iscsid_t self:capability net_raw;

I have also confirmed that this problem exists in Fedora 9 and appears to be in the upstream SELinux targeted policy.

I looked in the iscsid source code and it isn't clear to me why the net_raw capability is needed, but it clearly has something to do with the interface binding.  When no interfaces are specifically configured or requested the commands work as expected.
Comment 1 Daniel Walsh 2008-08-29 15:38:40 EDT
Fixed in selinux-policy-2.4.6-150.el5

Available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 2 RHEL Product and Program Management 2008-08-29 15:51:59 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 6 Vinny Valdez 2008-09-17 15:47:21 EDT
Tested with selinux-policy-2.4.6-158.el5 and it worked.  However, setting iscsid_disable_trans boolean on did not work on RHEL 5.2 with selinux-policy-2.4.6-137.1.el5_2.  Thanks Dan.
Comment 10 errata-xmlrpc 2009-01-20 16:30:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.