761485 – [SeLinux] selinux stop iscsi login in via bnx2i

Bug 761485 - [SeLinux] selinux stop iscsi login in via bnx2i

Summary: [SeLinux] selinux stop iscsi login in via bnx2i

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.7
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-12-08 12:16 UTC by Gris Ge
Modified:	2012-10-15 14:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-2.4.6-321.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-21 05:48:47 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0158	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-02-20 14:53:50 UTC

Description Gris Ge 2011-12-08 12:16:44 UTC

Description of problem:
=============
[root@storageqe-01 ~]# sealert -l d0a4e6c1-0078-40a7-b82d-ae011f3fda6a

Summary:

SELinux is preventing iscsid (iscsid_t) "connectto" to
004953435349445F5549505F41425354524143545F4E414D455350414345000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(initrc_t).

Detailed Description:

SELinux denied access requested by iscsid. It is not expected that this access
is required by iscsid and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:iscsid_t
Target Context                system_u:system_r:initrc_t
Target Objects                004953435349445F5549505F41425354524143545F4E414D45
                              53504143450000000000000000000000000000000000000000
                              00000000000000000000000000000000000000000000000000
                              00000000000000000000000000000000000000000000000000
                              0000000000000000 [ unix_stream_socket ]
Source                        iscsid
Source Path                   <Unknown>
Port                          <Unknown>
Host                          storageqe-01.rhts.eng.bos.redhat.com
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-320.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     storageqe-01.rhts.eng.bos.redhat.com
Platform                      Linux storageqe-01.rhts.eng.bos.redhat.com
                              2.6.18-300.el5 #1 SMP Thu Dec 1 13:48:30 EST 2011
                              x86_64 x86_64
Alert Count                   7
First Seen                    Thu Dec  8 06:50:44 2011
Last Seen                     Thu Dec  8 06:51:47 2011
Local ID                      d0a4e6c1-0078-40a7-b82d-ae011f3fda6a
Line Numbers

Raw Audit Messages

host=storageqe-01.rhts.eng.bos.redhat.com type=AVC msg=audit(1323345107.979:64): avc:  denied  { connectto } for  pid=9364 comm="iscsid" path=004953435349445F5549505F41425354524143545F4E414D455350414345000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
=================

Version-Release number of selected component (if applicable):
iscsi-initiator-utils-6.2.0.872-12.el5

How reproducible:
100%

Steps to Reproduce:
on storageqe-01.rhts.eng.bos.redhat.com
==========
echo "InitiatorName=iqn.1994-05.com.redhat:boot-bnx2i-storageqe-01" > /etc/iscsi/initiatorname.iscsi
BNX2I_IFACE1="bnx2i.00:10:18:88:e7:ff"
BNX2I_IFACE2="bnx2i.00:10:18:88:e7:fd"
iscsiadm -m iface -I ${BNX2I_IFACE1} --op=update --name=iface.ipaddress   --value=0.0.0.0
iscsiadm -m iface -I ${BNX2I_IFACE2} --op=update --name=iface.ipaddress   --value=0.0.0.0
iscsiadm -m discovery -t st  -p na3170b.lab.bos.redhat.com -I ${BNX2I_IFACE1} -I ${BNX2I_IFACE2}
iscsiadm -m node -l
==========
  
Actual results:
selinux stop iscsi login.

Expected results:
no selinux error and iscsi login

Additional info:
Tried on iscsi_tcp, no issue found. So it's kind of iscsiuio issue. Requesting block as it block bnx2i testing.

Comment 1 Mike Christie 2011-12-12 23:20:13 UTC

Eddie,

For RHEL6.2 did you guys have the selinux people do a fix? I did not. I was thinking we should have hit something similar.

This looks ok though, and we need to get the selinux policy updated.

Comment 2 Eddie Wai 2011-12-13 00:07:41 UTC

Hey Mike,

No, I did not either.  Is it because the old policy is now obsolete (brcm_iscsiuio vs iscsiuio)?  

Eddie

Comment 3 Mike Christie 2011-12-13 22:03:06 UTC

Hi Selinux developers,

It looks like we need to update the policy for a change in the iscsi tools. I was wondering though, for rhel 5.8 I used the iscsi tools that I put into rhel 6.2. For rhel 6.2 I did not submit any changes for the policy. Did you guys do that for us? I did not see any bzs.

Comment 4 Gris Ge 2011-12-14 03:00:44 UTC

Storage-QE didn't perform any selinux test on bnx2i in 6.2 as we got that card after RHEL 6.2 test plan draft out.

Bruno,

Can you help us to confirm whether we have same problem on RHEL 6.2 GA?

Comment 5 Miroslav Grepl 2011-12-14 09:47:30 UTC

So the binary was renamed and we need to add 

/sbin/iscsiuio --  gen_context(system_u:object_r:iscsid_exec_t,s0)

Comment 6 Bruno Goncalves 2011-12-14 14:36:39 UTC

On RHEL 6.2 it worked properly, selinux didn't report any error.

I've tested on Kernel 2.6.32-220.el6.

Comment 7 Miroslav Grepl 2011-12-15 08:04:05 UTC

Gris,
if you execute

# chcon -t iscsid_exec_t /sbin/iscsiuio

does it work?

Comment 8 Bruno Goncalves 2011-12-15 09:33:42 UTC

Miroslav,

Yes it does work.

Comment 9 Miroslav Grepl 2011-12-15 13:15:01 UTC

Fixed in selinux-policy-2.4.6-321.el5

Comment 10 Bruno Goncalves 2011-12-16 08:46:56 UTC

Yes, I confirmed that with selinux-policy-2.4.6-321.el5 it is working correctly.

Comment 14 errata-xmlrpc 2012-02-21 05:48:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.