Bug 460398 - iscsid needs additional SELinux allow rule for interface binding
iscsid needs additional SELinux allow rule for interface binding
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
Depends On:
  Show dependency treegraph
Reported: 2008-08-27 23:08 EDT by Sean E. Millichamp
Modified: 2015-02-18 12:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-20 16:30:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2009:0163 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2009-01-20 11:05:21 EST

  None (edit)
Description Sean E. Millichamp 2008-08-27 23:08:50 EDT
Description of problem:

iscsiadm, by default, does no specific interface selection.  However, if you ask it to bind to a specific interface (which is needed in certain use cases) it generates an SELinux violation.

Version-Release number of selected component (if applicable):
(also present in Fedora 9's selinux-policy-targeted-3.3.1-84.fc9.noarch)

How reproducible:
Every time.

Steps to Reproduce:
1. Start with a fresh install of iscsi-initiator-utils, SELinux with targetted policy in enforcing mode.
2. iscsiadm -m iface -I iscsi0 -o new
3. iscsiadm -m iface -I iscsi0 -o update -n iface.net_ifacename -v eth0
4. iscsiadm -m discovery -t sendtargets -p my.iscsi.san.ip
5. iscsiadm -m node -I iscsi0 -L all
Actual results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
iscsiadm: Could not login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: 
iscsiadm: initiator reported error (4 - encountered connection failure)
iscsiadm: Could not log into all portals. Err 4.

# tail -n1 /var/log/audit/audit.log
type=AVC msg=audit(1219866721.966:27): avc:  denied  { net_raw } for  pid=1576 c
omm="iscsid" capability=13 scontext=system_u:system_r:iscsid_t:s0 tcontext=syste
m_u:system_r:iscsid_t:s0 tclass=capability

Expected results:
# iscsiadm -m node -I iscsi0 -L all
Logging in to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]
Login to [iface: iscsi0, target: iqn.XXXXXX, portal: 10.x.x.x,3260]: successful

Additional info:

I have compiled the addition SELinux allow permission suggested by audit2allow into a module.  When loaded, it works as expected.  It also works when the iscsid_disable_trans boolean is set to 1, but I'd rather not do that.

I believe that the following should be added to the base iscsid policy:
allow iscsid_t self:capability net_raw;

I have also confirmed that this problem exists in Fedora 9 and appears to be in the upstream SELinux targeted policy.

I looked in the iscsid source code and it isn't clear to me why the net_raw capability is needed, but it clearly has something to do with the interface binding.  When no interfaces are specifically configured or requested the commands work as expected.
Comment 1 Daniel Walsh 2008-08-29 15:38:40 EDT
Fixed in selinux-policy-2.4.6-150.el5

Available in preview at http://people.redhat.com/dwalsh/SELinux/RHEL5
Comment 2 RHEL Product and Program Management 2008-08-29 15:51:59 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 6 Vinny Valdez 2008-09-17 15:47:21 EDT
Tested with selinux-policy-2.4.6-158.el5 and it worked.  However, setting iscsid_disable_trans boolean on did not work on RHEL 5.2 with selinux-policy-2.4.6-137.1.el5_2.  Thanks Dan.
Comment 10 errata-xmlrpc 2009-01-20 16:30:30 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.