User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102704 Fedora/3.0.15-1.fc10 Firefox/3.0.15 When trying to run the login to an iSCSI target setup with the bnx2i interface type the process hangs until it times out and then returns error 5. After trying various things, I looked in the audit logs and found selinux AVC messages. After using audit2allow to create a module, All works. Reproducible: Always Steps to Reproduce: 1. Set up an iSCSI target with the bnx2i interface type 2. Run iscsiadm -m node -l 3. Wait ... wait ... fail error 5 Running audit2allow -m created the following module which solves the problem --- module local 1.0; require { type iscsid_t; type initrc_t; class unix_stream_socket connectto; } #============= iscsid_t ============== allow iscsid_t initrc_t:unix_stream_socket connectto;
Thanks. Reassigning to selinux policy so it can brought it. Thanks.
What process is running as initrc_t? ps -eZ | grep initrc_t
On the running system I get: system_u:system_r:initrc_t 2569 ? 00:00:00 rhnsd Does the /etc/rc.d/init.d/iscsi script call to iscsiadm run as initrc_t?
/etc/rc.d/init.d/iscsi calls iscsiadm and can call /etc/init.d/iscsid. /etc/init.d/iscsid calls iscsid and brcm_iscsiuio.
I noticed in the log file that there was a message that bcrm_iscsiuio had seg faulted. After rebooting I now get: system_u:system_r:initrc_t 1883 ? 00:00:00 brcm_iscsiuio system_u:system_r:initrc_t 2632 ? 00:00:00 rhnsd
Could you try to change context using # chcon -t iscsid_exec_t /sbin/brcm_iscsiuio and create the following local policy: # cat > local.te << __eof policy_module(local, 1.0) require{ type iscsid_exec_t; type iscsid_t; } allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; can_exec(iscsid_t, iscsid_exec_t) __eof # make -f /usr/share/selinux/devel/Makefile # semodule -i local.pp
I tried your suggested changes. It does not work. I causes the initiator to return the error "4 - encountered connection failure". A ps -eZ | grep brcm shows: system_u:system_r:iscsid_t 1884 ? 00:00:00 brcm_iscsiuio The audit log contains AVC messages: type=AVC msg=audit(1261411943.073:6): avc: denied { read write } for pid=2446 comm="brcm_iscsiuio" name="uio1" dev=tmpfs ino=6765 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=AVC msg=audit(1261411943.337:7): avc: denied { read write } for pid=2099 comm="brcm_iscsiuio" name="uio0" dev=tmpfs ino=6474 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file audit2allow says: #============= iscsid_t ============== allow iscsid_t device_t:chr_file { read write };
Phillip, Could you try the selinux modifications and this updated kernel and iscsi tools: http://people.redhat.com/dzickus/el5/182.el5/ http://people.redhat.com/mchristi/iscsi/rhel5.4.z/iscsi-initiator-utils/ Also if that does not work could you try starting the iscsi service,and then run iscsiadm by hand: iscsiadm -m node -T yourtarget -I your_bnx2i_iface -l And if that iscsiadm call fails run the command one more time. I am investigating a bug where on the second try it will finally work. But I think the iscsi and kernel will fix your problem.
With the new packages, I still get the same error "4 - encountered connection failure". Same thing if running by hand. I also still get the same AVC denied messages as before.
After some iterations I have found selinux settings that seem to allow me to connect on boot without any AVC errors in the log. It works with both the standard packages and the packages that Mike suggested in Comment #6. 1. Change brcm_isciuio context using chcon -t iscsid_exec_t /sbin/brcm_iscsiuio 2. Create the following local policy: policy_module(local, 1.2) require { type iscsid_exec_t; type iscsid_t; type device_t; type proc_net_t; class dir search; class file { read getattr }; class chr_file { read write getattr }; } allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; allow iscsid_t device_t:chr_file { read write getattr }; allow iscsid_t proc_net_t:dir search; allow iscsid_t proc_net_t:file { read getattr }; can_exec(iscsid_t, iscsid_exec_t) --- The only issue left is that the brcm_iscsiuio deamon dies right after boot with the following message: kernel: brcm_iscsiuio[2119]: segfault at 00002aaaaaadb000 rip 000000383b27bf0b rsp 0000000043a06ec8 error 4 I don't know if this is related to the selinux permission issue or a different bug?
(In reply to comment #10) > kernel: brcm_iscsiuio[2119]: segfault at 00002aaaaaadb000 rip 000000383b27bf0b > rsp 0000000043a06ec8 error 4 > > I don't know if this is related to the selinux permission issue or a different > bug? Does it happen also in targeted mode ?
I checked and the brcm_iscsiuio segfault appears with selinux enabled or disabled. I have filed Bug #549771 for this problem.
Phillip, thank you for your testing. Could you also try to test the following policy. 1.local.te policy_module(local, 1.3) type userio_dev_t; dev_node(userio_dev_t) require { type iscsid_exec_t; type iscsid_t; type device_t; type proc_net_t; } allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; allow iscsid_t proc_net_t:dir search; allow iscsid_t proc_net_t:file { read getattr }; allow iscsid_t device_t:dir search; allow iscsid_t userio_dev_t:file rw_file_perms; can_exec(iscsid_t, iscsid_exec_t) --- 2. local.fc /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /dev/uio0 -c gen_context(system_u:object_r:userio_dev_t,s0) --- 3. compile and load local module and then execute restorecon: # restorecon -R -v /dev/uio0 # restorecon -R -v /sbin/brcm_iscsiuio Thanks
If I use the local.fc as you have it, I only get reliable connection on the first bnx2i interface and the error 4, on the second. I noticed that there a two uio devices /dev/uio0 and /dev/uio1. If I change local.fc to: /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) /dev/uio.* -c gen_context(system_u:object_r:userio_dev_t,s0) And compile, it seems to work for both interfaces.
(In reply to comment #14) > If I use the local.fc as you have it, I only get reliable connection on the > first bnx2i interface and the error 4, on the second. I noticed that there a > two uio devices /dev/uio0 and /dev/uio1. If I change local.fc to: > > /sbin/brcm_iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0) > /dev/uio.* -c gen_context(system_u:object_r:userio_dev_t,s0) > > And compile, it seems to work for both interfaces. Great. Thank you.
Fixed in selinux-policy-2.4.6-271.el5
Miroslav add. type iscsid_log_t; logging_log_file(iscsid_log_t) manage_files_pattern(iscsid_t, iscsid_log_t, iscsid_log_t) logging_log_filetrans(iscsid_t, iscsid_log_t, file) /var/log/brcm-iscsi\.log -- gen_context(system_u:object_r:iscsi_lock_t,s0)
*** Bug 561002 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-2.4.6-272.el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html