Bug 462739 - [NetApp-S 5.3 bug] Getting selinux errors when iscsid is shutdown
[NetApp-S 5.3 bug] Getting selinux errors when iscsid is shutdown
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks: 253834 373081
  Show dependency treegraph
 
Reported: 2008-09-18 12:55 EDT by Mike Christie
Modified: 2015-02-18 12:30 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 16:30:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike Christie 2008-09-18 12:55:25 EDT
Description of problem:

iscsid wants to send SIGTERM to some of its processes during error handling. When this happens we get a selinux error. Here is the output of sealert:

Summary
    SELinux is preventing /sbin/iscsid (iscsid_t) "signal" access to <Unknown>
    (iscsid_t).

Detailed Description
    SELinux denied access requested by /sbin/iscsid. It is not expected that
    this access is required by /sbin/iscsid and this access may signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access - see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can
    disable SELinux protection entirely for the application. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
    Changing the "iscsid_disable_trans" boolean to true will disable SELinux
    protection this application: "setsebool -P iscsid_disable_trans=1."

    The following command will allow this access:
    setsebool -P iscsid_disable_trans=1

Additional Information

Source Context                root:system_r:iscsid_t
Target Context                root:system_r:iscsid_t
Target Objects                None [ process ]
Affected RPM Packages         iscsi-initiator-utils-6.2.0.868-0.11 [application]
Policy RPM                    selinux-policy-2.4.6-104.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-88.el5 #1 SMP
                              Tue Apr 1 19:01:18 EDT 2008 x86_64 x86_64
Alert Count                   1
Line Numbers

Raw Audit Messages

avc: denied { signal } for comm="iscsid" egid=0 euid=0 exe="/sbin/iscsid"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=5687
scontext=root:system_r:iscsid_t:s0 sgid=0 subj=root:system_r:iscsid_t:s0 suid=0
tclass=process tcontext=root:system_r:iscsid_t:s0 tty=(none) uid=0



Notes:

I tried a newer selinux-policy-2.4.6-104 and it did not help.



Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Mike Christie 2008-09-18 12:57:05 EDT
(In reply to comment #0)
> 
> I tried a newer selinux-policy-2.4.6-104 and it did not help.
> 

I meant 2.4.6-104 is old and on a different machine I tried a newer rpm and it it did not help.
Comment 2 Andrius Benokraitis 2008-09-18 13:17:10 EDT
Mike, I know that Dan is up to at least the following version:
selinux-policy-2.4.6-158.el5 and can be downloaded at the following location:

http://people.redhat.com/dwalsh/SELinux/RHEL5/
Comment 3 Daniel Walsh 2008-09-18 16:28:31 EDT
Fixed in selinux-policy-2.4.6-158.el5 for U3.  It might be fixed in selinux-policy-2.4.6-137.el5 which is the u2 policy.
Comment 5 Mike Christie 2008-09-18 23:30:23 EDT
Thanks Daniel. I just tried selinux-policy-2.4.6-158 and did not see any errors.
Comment 11 errata-xmlrpc 2009-01-20 16:30:50 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.