Description of problem: iscsiadm, by default, does no specific interface selection. However, if you ask it to bind to a specific interface (which is needed in certain use cases) it generates an SELinux violation. Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-137.1.el5 (also present in Fedora 9's selinux-policy-targeted-3.3.1-84.fc9.noarch) How reproducible: Every time. Steps to Reproduce: 1. Start with a fresh install of iscsi-initiator-utils, SELinux with targetted policy in enforcing mode. 2. iscsiadm -m iface -I iscsi0 -o new 3. iscsiadm -m iface -I iscsi0 -o update -n iface.net_ifacename -v eth0 4. iscsiadm -m discovery -t sendtargets -p my.iscsi.san.ip 5. iscsiadm -m node -I iscsi0 -L all Actual results: # iscsiadm -m node -I iscsi0 -L all Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260] iscsiadm: Could not login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: iscsiadm: initiator reported error (4 - encountered connection failure) iscsiadm: Could not log into all portals. Err 4. # tail -n1 /var/log/audit/audit.log type=AVC msg=audit(1219866721.966:27): avc: denied { net_raw } for pid=1576 c omm="iscsid" capability=13 scontext=system_u:system_r:iscsid_t:s0 tcontext=syste m_u:system_r:iscsid_t:s0 tclass=capability Expected results: # iscsiadm -m node -I iscsi0 -L all Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260] Login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: successful Additional info: I have compiled the addition SELinux allow permission suggested by audit2allow into a module. When loaded, it works as expected. It also works when the iscsid_disable_trans boolean is set to 1, but I'd rather not do that. I believe that the following should be added to the base iscsid policy: allow iscsid_t self:capability net_raw; I have also confirmed that this problem exists in Fedora 9 and appears to be in the upstream SELinux targeted policy. I looked in the iscsid source code and it isn't clear to me why the net_raw capability is needed, but it clearly has something to do with the interface binding. When no interfaces are specifically configured or requested the commands work as expected.
Fixed in selinux-policy-2.4.6-150.el5 Available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Tested with selinux-policy-2.4.6-158.el5 and it worked. However, setting iscsid_disable_trans boolean on did not work on RHEL 5.2 with selinux-policy-2.4.6-137.1.el5_2. Thanks Dan.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html