574229 – scsi-target-utils and selinux-policy-targeted don't play nice together

Bug 574229 - scsi-target-utils and selinux-policy-targeted don't play nice together

Summary: scsi-target-utils and selinux-policy-targeted don't play nice together

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	13
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Eric Paris
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-03-16 21:49 UTC by Hans de Goede
Modified:	2010-03-25 22:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:	selinux-policy-3.7.15-4.fc13
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-03-25 22:30:03 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Hans de Goede 2010-03-16 21:49:04 UTC

Hi,

I'm using scsi-target-utils to export 2 logical volumes:
/dev/BigVol2/lv_iscsi_disk1
/dev/BigVol2/lv_iscsi_disk2

As iscsi targets for iscsi testing. Recently (I think) this stopped working
and as soon as a "client" tries to connect to the iscsi targets setroubleshoot and auditd go crazy and start a light weight DOS attack on my machine.

audit.log is full of:
type=AVC msg=audit(1268775672.718:1577922): avc:  denied  { read } for  pid=1262 comm="tgtd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=4023 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
type=SYSCALL msg=audit(1268775672.718:1577922): arch=c000003e syscall=0 success=no exit=-13 a0=9 a1=7fffe8e4d560 a2=800 a3=7d0 items=0 ppid=1 pid=1262 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=system_u:system_r:tgtd_t:s0 key=(null)

The [signalfd] strikes me as a bit weird here, /dev/BigVol2/lv_iscsi_disk1
is a symlink to /dev/dm-5:
lrwxrwxrwx. root root system_u:object_r:device_t:s0    /dev/BigVol2/lv_iscsi_disk1 -> ../dm-5

which itself is:
brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5


p.s.

It would be good to fix this for RHEL-6 too (assuming it is relevant there too).

Comment 1 Daniel Walsh 2010-03-17 12:29:28 UTC

THis is a kernel issue that should be fixed in the next kernel release.  I can't find the bugzilla to dup this on.  Eric, do you know it off hand?

Comment 2 Eric Paris 2010-03-17 13:37:19 UTC

Dan, if this is for F13 we might not pick up a kernel fix for a long time (2.6.34-rc2 is the first fixed kernel)   I thought we agreed to just allow anon_inodefs in RHEL6 and F13 but not push it upstream or bother with it in F14

Comment 3 Daniel Walsh 2010-03-23 13:36:38 UTC

Fixed in selinux-policy-3.7.15-4.fc13.noarch

Comment 4 Fedora Update System 2010-03-23 13:43:50 UTC

selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13

Comment 5 Fedora Update System 2010-03-24 00:47:44 UTC

selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13

Comment 6 Fedora Update System 2010-03-25 22:29:26 UTC

selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.