Hi, I'm using scsi-target-utils to export 2 logical volumes: /dev/BigVol2/lv_iscsi_disk1 /dev/BigVol2/lv_iscsi_disk2 As iscsi targets for iscsi testing. Recently (I think) this stopped working and as soon as a "client" tries to connect to the iscsi targets setroubleshoot and auditd go crazy and start a light weight DOS attack on my machine. audit.log is full of: type=AVC msg=audit(1268775672.718:1577922): avc: denied { read } for pid=1262 comm="tgtd" path="anon_inode:[signalfd]" dev=anon_inodefs ino=4023 scontext=system_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=SYSCALL msg=audit(1268775672.718:1577922): arch=c000003e syscall=0 success=no exit=-13 a0=9 a1=7fffe8e4d560 a2=800 a3=7d0 items=0 ppid=1 pid=1262 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="tgtd" exe="/usr/sbin/tgtd" subj=system_u:system_r:tgtd_t:s0 key=(null) The [signalfd] strikes me as a bit weird here, /dev/BigVol2/lv_iscsi_disk1 is a symlink to /dev/dm-5: lrwxrwxrwx. root root system_u:object_r:device_t:s0 /dev/BigVol2/lv_iscsi_disk1 -> ../dm-5 which itself is: brw-rw----. root disk system_u:object_r:fixed_disk_device_t:s0 /dev/dm-5 p.s. It would be good to fix this for RHEL-6 too (assuming it is relevant there too).
THis is a kernel issue that should be fixed in the next kernel release. I can't find the bugzilla to dup this on. Eric, do you know it off hand?
Dan, if this is for F13 we might not pick up a kernel fix for a long time (2.6.34-rc2 is the first fixed kernel) I thought we agreed to just allow anon_inodefs in RHEL6 and F13 but not push it upstream or bother with it in F14
Fixed in selinux-policy-3.7.15-4.fc13.noarch
selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.