Description of problem: ============= [root@storageqe-01 ~]# sealert -l d0a4e6c1-0078-40a7-b82d-ae011f3fda6a Summary: SELinux is preventing iscsid (iscsid_t) "connectto" to 004953435349445F5549505F41425354524143545F4E414D455350414345000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 (initrc_t). Detailed Description: SELinux denied access requested by iscsid. It is not expected that this access is required by iscsid and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:iscsid_t Target Context system_u:system_r:initrc_t Target Objects 004953435349445F5549505F41425354524143545F4E414D45 53504143450000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 00000000000000000000000000000000000000000000000000 0000000000000000 [ unix_stream_socket ] Source iscsid Source Path <Unknown> Port <Unknown> Host storageqe-01.rhts.eng.bos.redhat.com Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-320.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name storageqe-01.rhts.eng.bos.redhat.com Platform Linux storageqe-01.rhts.eng.bos.redhat.com 2.6.18-300.el5 #1 SMP Thu Dec 1 13:48:30 EST 2011 x86_64 x86_64 Alert Count 7 First Seen Thu Dec 8 06:50:44 2011 Last Seen Thu Dec 8 06:51:47 2011 Local ID d0a4e6c1-0078-40a7-b82d-ae011f3fda6a Line Numbers Raw Audit Messages host=storageqe-01.rhts.eng.bos.redhat.com type=AVC msg=audit(1323345107.979:64): avc: denied { connectto } for pid=9364 comm="iscsid" path=004953435349445F5549505F41425354524143545F4E414D455350414345000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket ================= Version-Release number of selected component (if applicable): iscsi-initiator-utils-6.2.0.872-12.el5 How reproducible: 100% Steps to Reproduce: on storageqe-01.rhts.eng.bos.redhat.com ========== echo "InitiatorName=iqn.1994-05.com.redhat:boot-bnx2i-storageqe-01" > /etc/iscsi/initiatorname.iscsi BNX2I_IFACE1="bnx2i.00:10:18:88:e7:ff" BNX2I_IFACE2="bnx2i.00:10:18:88:e7:fd" iscsiadm -m iface -I ${BNX2I_IFACE1} --op=update --name=iface.ipaddress --value=0.0.0.0 iscsiadm -m iface -I ${BNX2I_IFACE2} --op=update --name=iface.ipaddress --value=0.0.0.0 iscsiadm -m discovery -t st -p na3170b.lab.bos.redhat.com -I ${BNX2I_IFACE1} -I ${BNX2I_IFACE2} iscsiadm -m node -l ========== Actual results: selinux stop iscsi login. Expected results: no selinux error and iscsi login Additional info: Tried on iscsi_tcp, no issue found. So it's kind of iscsiuio issue. Requesting block as it block bnx2i testing.
Eddie, For RHEL6.2 did you guys have the selinux people do a fix? I did not. I was thinking we should have hit something similar. This looks ok though, and we need to get the selinux policy updated.
Hey Mike, No, I did not either. Is it because the old policy is now obsolete (brcm_iscsiuio vs iscsiuio)? Eddie
Hi Selinux developers, It looks like we need to update the policy for a change in the iscsi tools. I was wondering though, for rhel 5.8 I used the iscsi tools that I put into rhel 6.2. For rhel 6.2 I did not submit any changes for the policy. Did you guys do that for us? I did not see any bzs.
Storage-QE didn't perform any selinux test on bnx2i in 6.2 as we got that card after RHEL 6.2 test plan draft out. Bruno, Can you help us to confirm whether we have same problem on RHEL 6.2 GA?
So the binary was renamed and we need to add /sbin/iscsiuio -- gen_context(system_u:object_r:iscsid_exec_t,s0)
On RHEL 6.2 it worked properly, selinux didn't report any error. I've tested on Kernel 2.6.32-220.el6.
Gris, if you execute # chcon -t iscsid_exec_t /sbin/iscsiuio does it work?
Miroslav, Yes it does work.
Fixed in selinux-policy-2.4.6-321.el5
Yes, I confirmed that with selinux-policy-2.4.6-321.el5 it is working correctly.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html