Bug 548599 - Login to iSCSI target with bnx2i interface fails due to selinux denial
Summary: Login to iSCSI target with bnx2i interface fails due to selinux denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
: 561002 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-17 21:46 UTC by Phillip Sorensen
Modified: 2012-10-15 14:39 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Phillip Sorensen 2009-12-17 21:46:11 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.15) Gecko/2009102704 Fedora/3.0.15-1.fc10 Firefox/3.0.15

When trying to run the login to an iSCSI target setup with the bnx2i interface type the process hangs until it times out and then returns error 5.

After trying various things, I looked in the audit logs and found selinux AVC messages.  After using audit2allow to create a module, All works.

Reproducible: Always

Steps to Reproduce:
1. Set up an iSCSI target with the bnx2i interface type 
2. Run iscsiadm -m node -l
3. Wait ... wait ...  fail error 5



Running audit2allow -m created the following module which solves the problem

---

module local 1.0;

require {
	type iscsid_t;
	type initrc_t;
	class unix_stream_socket connectto;
}

#============= iscsid_t ==============
allow iscsid_t initrc_t:unix_stream_socket connectto;

Comment 1 Mike Christie 2009-12-18 03:30:18 UTC
Thanks. Reassigning to selinux policy so it can brought it.

Thanks.

Comment 2 Daniel Walsh 2009-12-18 13:01:15 UTC
What process is running as initrc_t?

ps -eZ | grep initrc_t

Comment 3 Phillip Sorensen 2009-12-18 14:07:02 UTC
On the running system I get:

system_u:system_r:initrc_t       2569 ?        00:00:00 rhnsd


Does the /etc/rc.d/init.d/iscsi script call to iscsiadm run as initrc_t?

Comment 4 Mike Christie 2009-12-18 14:45:39 UTC
/etc/rc.d/init.d/iscsi calls iscsiadm and can call /etc/init.d/iscsid.  /etc/init.d/iscsid calls iscsid and brcm_iscsiuio.

Comment 5 Phillip Sorensen 2009-12-18 15:01:29 UTC
I noticed in the log file that there was a message that bcrm_iscsiuio had seg faulted.  After rebooting I now get:

system_u:system_r:initrc_t       1883 ?        00:00:00 brcm_iscsiuio
system_u:system_r:initrc_t       2632 ?        00:00:00 rhnsd

Comment 6 Miroslav Grepl 2009-12-18 18:45:17 UTC
Could you try to change context using

# chcon -t iscsid_exec_t /sbin/brcm_iscsiuio

and create the following local policy:

# cat > local.te << __eof
policy_module(local, 1.0)

require{
        type iscsid_exec_t;
        type iscsid_t;
}

allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
can_exec(iscsid_t, iscsid_exec_t)

__eof

# make -f /usr/share/selinux/devel/Makefile
# semodule -i local.pp

Comment 7 Phillip Sorensen 2009-12-21 17:25:34 UTC
I tried your suggested changes.  It does not work.  I causes the initiator to return the error "4 - encountered connection failure".


A ps -eZ | grep brcm shows:

system_u:system_r:iscsid_t       1884 ?        00:00:00 brcm_iscsiuio


The audit log contains AVC messages:

type=AVC msg=audit(1261411943.073:6): avc:  denied  { read write } for  pid=2446 comm="brcm_iscsiuio" name="uio1" dev=tmpfs ino=6765 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=AVC msg=audit(1261411943.337:7): avc:  denied  { read write } for  pid=2099 comm="brcm_iscsiuio" name="uio0" dev=tmpfs ino=6474 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file


audit2allow says:

#============= iscsid_t ==============
allow iscsid_t device_t:chr_file { read write };

Comment 8 Mike Christie 2009-12-21 18:23:08 UTC
  Phillip,

Could you try the selinux modifications and this updated kernel and iscsi tools:


http://people.redhat.com/dzickus/el5/182.el5/
http://people.redhat.com/mchristi/iscsi/rhel5.4.z/iscsi-initiator-utils/

Also if that does not work could you try starting the iscsi service,and then run iscsiadm by hand:

iscsiadm -m node -T yourtarget -I your_bnx2i_iface -l

And if that iscsiadm call fails run the command one more time. I am investigating a bug where on the second try it will finally work. But I think the iscsi and kernel will fix your problem.

Comment 9 Phillip Sorensen 2009-12-21 20:10:10 UTC
With the new packages, I still get the same error "4 - encountered connection failure".  Same thing if running by hand.  I also still get the same AVC denied messages as before.

Comment 10 Phillip Sorensen 2009-12-21 21:24:35 UTC
After some iterations I have found selinux settings that seem to allow me to connect on boot without any AVC errors in the log.  It works with both the standard packages and the packages that Mike suggested in Comment #6.


1. Change brcm_isciuio context using

chcon -t iscsid_exec_t /sbin/brcm_iscsiuio


2. Create the following local policy:

policy_module(local, 1.2)

require {
	type iscsid_exec_t;
	type iscsid_t;
	type device_t;
	type proc_net_t;
	class dir search;
	class file { read getattr };
	class chr_file { read write getattr };
}

allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t device_t:chr_file { read write getattr };
allow iscsid_t proc_net_t:dir search;
allow iscsid_t proc_net_t:file { read getattr };

can_exec(iscsid_t, iscsid_exec_t)

---


The only issue left is that the brcm_iscsiuio deamon dies right after boot with the following message:

kernel: brcm_iscsiuio[2119]: segfault at 00002aaaaaadb000 rip 000000383b27bf0b rsp 0000000043a06ec8 error 4

I don't know if this is related to the selinux permission issue or a different bug?

Comment 11 Miroslav Grepl 2009-12-22 08:00:14 UTC
(In reply to comment #10)

> kernel: brcm_iscsiuio[2119]: segfault at 00002aaaaaadb000 rip 000000383b27bf0b
> rsp 0000000043a06ec8 error 4
> 
> I don't know if this is related to the selinux permission issue or a different
> bug?  

Does it happen also in targeted mode ?

Comment 12 Phillip Sorensen 2009-12-22 16:21:46 UTC
I checked and the brcm_iscsiuio  segfault appears with selinux enabled or disabled.  I have filed Bug #549771 for this problem.

Comment 13 Miroslav Grepl 2010-01-07 10:02:38 UTC
Phillip,
thank you for your testing. Could you also try to test the following policy.

1.local.te

policy_module(local, 1.3)

type userio_dev_t;
dev_node(userio_dev_t)

require {
 type iscsid_exec_t;
 type iscsid_t;
 type device_t;
 type proc_net_t;
}

allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms;
allow iscsid_t proc_net_t:dir search;
allow iscsid_t proc_net_t:file { read getattr };
allow iscsid_t device_t:dir search;
allow iscsid_t userio_dev_t:file rw_file_perms;
can_exec(iscsid_t, iscsid_exec_t)

---

2. local.fc

/sbin/brcm_iscsiuio --  gen_context(system_u:object_r:iscsid_exec_t,s0)
/dev/uio0       -c      gen_context(system_u:object_r:userio_dev_t,s0)

---

3. compile and load local module and then execute restorecon:

# restorecon -R -v /dev/uio0 
# restorecon -R -v /sbin/brcm_iscsiuio 


Thanks

Comment 14 Phillip Sorensen 2010-01-07 20:47:44 UTC
If I use the local.fc as you have it, I only get reliable connection on the first bnx2i interface and the error 4, on the second.  I noticed that there a two uio devices /dev/uio0 and /dev/uio1.  If I change local.fc to:

/sbin/brcm_iscsiuio --  gen_context(system_u:object_r:iscsid_exec_t,s0)
/dev/uio.*      -c      gen_context(system_u:object_r:userio_dev_t,s0)

And compile, it seems to work for both interfaces.

Comment 15 Miroslav Grepl 2010-01-08 12:22:29 UTC
(In reply to comment #14)
> If I use the local.fc as you have it, I only get reliable connection on the
> first bnx2i interface and the error 4, on the second.  I noticed that there a
> two uio devices /dev/uio0 and /dev/uio1.  If I change local.fc to:
> 
> /sbin/brcm_iscsiuio --  gen_context(system_u:object_r:iscsid_exec_t,s0)
> /dev/uio.*      -c      gen_context(system_u:object_r:userio_dev_t,s0)
> 
> And compile, it seems to work for both interfaces.  

Great. Thank you.

Comment 16 Miroslav Grepl 2010-01-28 16:12:30 UTC
Fixed in selinux-policy-2.4.6-271.el5

Comment 21 Daniel Walsh 2010-02-02 14:07:30 UTC
Miroslav add.

type iscsid_log_t;
logging_log_file(iscsid_log_t)


manage_files_pattern(iscsid_t, iscsid_log_t, iscsid_log_t)
logging_log_filetrans(iscsid_t, iscsid_log_t, file)

/var/log/brcm-iscsi\.log -- 	gen_context(system_u:object_r:iscsi_lock_t,s0)

Comment 22 Daniel Walsh 2010-02-02 14:41:24 UTC
*** Bug 561002 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2010-02-03 16:07:16 UTC
Fixed in selinux-policy-2.4.6-272.el5

Comment 26 errata-xmlrpc 2010-03-30 07:50:45 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html


Note You need to log in before you can comment on or make changes to this bug.