SELinux is preventing /sbin/iscsid from using the 'sys_ptrace' capabilities. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that iscsid should have the sys_ptrace capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /sbin/iscsid /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:iscsid_t:s0 Target Context unconfined_u:system_r:iscsid_t:s0 Target Objects Unknown [ capability ] Source iscsid Source Path /sbin/iscsid Port <Unknown> Host (removed) Source RPM Packages iscsi-initiator-utils-6.2.0.872-8.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.35.9-64.fc14.x86_64 #1 SMP Fri Dec 3 12:19:41 UTC 2010 x86_64 x86_64 Alert Count 7 First Seen Wed 22 Dec 2010 06:39:35 PM CST Last Seen Wed 22 Dec 2010 08:52:47 PM CST Local ID 0f396d09-7006-4389-a7d2-e5fea22864ac Raw Audit Messages type=AVC msg=audit(1293072767.178:26462): avc: denied { sys_ptrace } for pid=10528 comm="iscsid" capability=19 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=unconfined_u:system_r:iscsid_t:s0 tclass=capability iscsid,iscsid_t,iscsid_t,capability,sys_ptrace type=SYSCALL msg=audit(1293072767.178:26462): arch=x86_64 syscall=read success=yes exit=156 a0=b a1=7fffd57d9c10 a2=400 a3=1999999999999999 items=0 ppid=1 pid=10528 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=44 comm=iscsid exe=/sbin/iscsid subj=unconfined_u:system_r:iscsid_t:s0 key=(null) iscsid,iscsid_t,iscsid_t,capability,sys_ptrace #============= iscsid_t ============== allow iscsid_t self:capability sys_ptrace;
Miroslav back port rawhide iscsi policy to F13/F14 Shane alert above explains how to allow this for now.
*** Bug 665204 has been marked as a duplicate of this bug. ***
Fixed in selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-20.fc14
selinux-policy-3.9.7-20.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
I'm still seeing a setsched denial for iscsid (same as bug 665204) when using # rpm -q selinux-policy selinux-policy-3.9.7-25.fc14.noarch # grep AVC /var/log/audit/audit.log | grep iscsid type=AVC msg=audit(1296394249.096:4): avc: denied { setsched } for pid=818 comm="iscsid" scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process
You are right. Thanks.
Fixed in selinux-policy-3.9.7-27.fc14
selinux-policy-3.9.7-28.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-28.fc14
selinux-policy-3.9.7-28.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.