Bug 545598 - SELinux is preventing /sbin/iscsid "associate" access.
Summary: SELinux is preventing /sbin/iscsid "associate" access.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:44520643300...
: 545593 550358 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-08 22:07 UTC by Dave Allan
Modified: 2016-04-26 17:00 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-22 20:42:10 UTC
Type: ---


Attachments (Terms of Use)

Description Dave Allan 2009-12-08 22:07:10 UTC
Summary:

SELinux is preventing /sbin/iscsid "associate" access.

Detailed Description:

SELinux denied access requested by iscsid. It is not expected that this access
is required by iscsid and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:iscsid_t:s0
Target Context                unconfined_u:system_r:initrc_t:s0
Target Objects                None [ sem ]
Source                        iscsid
Source Path                   /sbin/iscsid
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           iscsi-initiator-utils-6.2.0.870-10.fc12.1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-55.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux elanor 2.6.31.6-162.fc12.x86_64 #1 SMP Fri
                              Dec 4 00:06:26 EST 2009 x86_64 x86_64
Alert Count                   6
First Seen                    Tue 08 Dec 2009 04:58:48 PM EST
Last Seen                     Tue 08 Dec 2009 05:06:04 PM EST
Local ID                      6ac7b13f-eab3-4d82-9293-a5974f91e6bb
Line Numbers                  

Raw Audit Messages            

node=elanor type=AVC msg=audit(1260309964.981:24225): avc:  denied  { associate } for  pid=16124 comm="iscsid" key=167 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=unconfined_u:system_r:initrc_t:s0 tclass=sem

node=elanor type=SYSCALL msg=audit(1260309964.981:24225): arch=c000003e syscall=64 success=no exit=-13 a0=a7 a1=1 a2=380 a3=0 items=0 ppid=16123 pid=16124 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts6 ses=1 comm="iscsid" exe="/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-55.fc12,catchall,iscsid,iscsid_t,initrc_t,sem,associate
audit2allow suggests:

#============= iscsid_t ==============
allow iscsid_t initrc_t:sem associate;

Comment 1 Daniel Walsh 2009-12-09 14:11:16 UTC
What process is running as initrc_t

ps -eZ | grep initrc_t

We need to have policy for all init programs that we ship, this is the label of an init program without policy.

Comment 2 Daniel Walsh 2009-12-09 14:11:58 UTC
*** Bug 545593 has been marked as a duplicate of this bug. ***

Comment 3 Dave Allan 2009-12-09 16:20:18 UTC
[root@elanor ~]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0    1580 ?        00:00:00 ksmtuned
unconfined_u:system_r:initrc_t:s0 2836 ?       00:00:00 tgtd
unconfined_u:system_r:initrc_t:s0 2838 ?       00:00:00 tgtd
system_u:system_r:initrc_t:s0    2851 ?        00:00:00 sleep
[root@elanor ~]# 

This output is interesting, however, as the problem I was having appeared to reference iscsid, and iscsid is not listed here, although tgtd is.  (tgtd is the target side of an iscsi connection, iscsid is the initiator side.)

Comment 4 Daniel Walsh 2009-12-09 16:51:28 UTC
Ok I will add a policy for tgtd.

What are ksmtuned and sleep?

Comment 5 Dave Allan 2009-12-09 17:31:26 UTC
It's virt related:

http://fedoraproject.org/wiki/Features/KSM

ksmtuned spawns sleep:

[root@elanor ~]# ps -eZ | grep initrc_t
system_u:system_r:initrc_t:s0    1580 ?        00:00:00 ksmtuned
unconfined_u:system_r:initrc_t:s0 2836 ?       00:00:00 tgtd
unconfined_u:system_r:initrc_t:s0 2838 ?       00:00:00 tgtd
system_u:system_r:initrc_t:s0    4035 ?        00:00:00 sleep
[root@elanor ~]# ps -ejH | grep -A1 ksmtuned
 1580  1575   994 ?        00:00:00   ksmtuned
 4035  1575   994 ?        00:00:00     sleep
[root@elanor ~]#

Comment 6 Daniel Walsh 2009-12-09 17:38:56 UTC
Ok I added policy for tgtd and ksmtuned 

Fixed in selinux-policy-3.6.32-57.fc12.noarch

Comment 7 Fedora Update System 2009-12-16 13:52:52 UTC
selinux-policy-3.6.32-59.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-59.fc12

Comment 8 Fedora Update System 2009-12-18 04:41:09 UTC
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-13384

Comment 9 Fedora Update System 2009-12-23 21:30:46 UTC
selinux-policy-3.6.32-59.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Carl G. 2010-01-17 02:04:01 UTC
*** Bug 550358 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.