Bug 832965 - AVCs when running iscsiadm
AVCs when running iscsiadm
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: iscsi-initiator-utils (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Chris Leech
Bruno Goncalves
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-18 05:40 EDT by Michal Trunecka
Modified: 2015-04-08 11:12 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-04-08 11:12:55 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Trunecka 2012-06-18 05:40:16 EDT
Description of problem:
Following AVCs showed up during the iscsi automated test:
/CoreOS/selinux-policy/Regression/bz506057-iscsiadm-login-logout-AVCs

----
time->Mon Jun 18 05:34:21 2012
type=PATH msg=audit(1340012061.254:2183): item=0 name="/var/lock/iscsi/lock" inode=571697 dev=00:11 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=CWD msg=audit(1340012061.254:2183):  cwd="/"
type=SYSCALL msg=audit(1340012061.254:2183): arch=c000003e syscall=2 success=no exit=-13 a0=44ba91 a1=42 a2=1b6 a3=44bb99 items=1 ppid=1 pid=20506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1340012061.254:2183): avc:  denied  { read write } for  pid=20506 comm="iscsid" name="lock" dev="tmpfs" ino=571697 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file
----
time->Mon Jun 18 05:34:21 2012
type=PATH msg=audit(1340012061.254:2184): item=1 name="/var/lock/iscsi/lock.write" inode=571696 dev=00:11 mode=040600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=PATH msg=audit(1340012061.254:2184): item=0 name="/var/lock/iscsi/lock" inode=571697 dev=00:11 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_lock_t:s0
type=CWD msg=audit(1340012061.254:2184):  cwd="/"
type=SYSCALL msg=audit(1340012061.254:2184): arch=c000003e syscall=86 success=no exit=-13 a0=44ba91 a1=44baa6 a2=d a3=7fff72ee4b20 items=2 ppid=1 pid=20506 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1340012061.254:2184): avc:  denied  { link } for  pid=20506 comm="iscsid" name="lock" dev="tmpfs" ino=571697 scontext=system_u:system_r:iscsid_t:s0 tcontext=unconfined_u:object_r:var_lock_t:s0 tclass=file


Version-Release number of selected component (if applicable):
iscsi-initiator-utils-6.2.0.872-18.el7.x86_64
selinux-policy-3.10.0-128.el7.noarch



Steps to Reproduce:
service iscsid start
#### And the following command causes the AVCs:
iscsiadm --mode discovery --type sendtargets --portal 10.16.41.160
  
Actual results:
AVCs

Expected results:
No AVCs

Additional info:
Comment 1 Daniel Walsh 2012-06-18 16:14:26 EDT
Does restorecon -R -v -n /var/lock

Show any mislabeled files?
Comment 2 Michal Trunecka 2012-06-20 03:19:56 EDT
restorecon -R -v -n /var/lock
restorecon reset /run/lock/iscsi context unconfined_u:object_r:var_lock_t:s0->unconfined_u:object_r:iscsi_lock_t:s0
restorecon reset /run/lock/iscsi/lock context unconfined_u:object_r:var_lock_t:s0->unconfined_u:object_r:iscsi_lock_t:s0
Comment 3 Daniel Walsh 2012-06-20 14:26:47 EDT
Any idea how these directories got created with the wrong label?  Which process created them?  initscripts?
Comment 4 Miroslav Grepl 2012-07-17 02:20:23 EDT
It looks like it is created by an initscript. We had this issue on older RHEL and Fedora.
Comment 6 RHEL Product and Program Management 2014-03-22 03:07:31 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 12 Bruno Goncalves 2015-04-08 11:12:55 EDT
Closing this BZ as it seems to work well on RHEL-7.1

Note You need to log in before you can comment on or make changes to this bug.