Bug 837570 - tgtd fails to start with selinux on enforce mode
tgtd fails to start with selinux on enforce mode
Status: NEW
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: scsi-target-utils (Show other bugs)
6.3
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Andy Grover
Bruno Goncalves
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-04 05:30 EDT by Bruno Goncalves
Modified: 2017-07-01 01:49 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bruno Goncalves 2012-07-04 05:30:47 EDT
Description of problem:
tgtd is not able to start when there is some LUN configured and selinux is on enforce mode.

Version-Release number of selected component (if applicable):
rpm -q scsi-target-utils
scsi-target-utils-1.0.24-2.el6.x86_64

rpm -q selinux-policy
selinux-policy-3.7.19-154.el6.noarch


How reproducible:
100%

Steps to Reproduce:
1.set selinux to enforce: echo 1 > /selinux/enforce
2.service tgtd restart
Stopping SCSI target daemon:                               [  OK  ]
Starting SCSI target daemon:                               [  OK  ]
tgtadm: invalid request
Command:
	tgtadm -C 0 --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /var/lib/tgtd/loop-disk-1-1

  
Actual results:
backed_file_open(92) Could not open /var/lib/tgtd/loop-disk-1-1

ausearch -m avc -ts recent |grep tgtd
type=SYSCALL msg=audit(1341392755.939:41): arch=c000003e syscall=2 success=no exit=-13 a0=2492880 a1=2 a2=7fff56d00eb0 a3=1c items=0 ppid=1 pid=9980 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1341392755.939:41): avc:  denied  { read write } for  pid=9980 comm="tgtd" name="loop-disk-1-1" dev=dm-0 ino=174084 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1341392755.939:42): arch=c000003e syscall=2 success=no exit=-13 a0=2492880 a1=0 a2=7fff56d00eb0 a3=2c312d312d6b7369 items=0 ppid=1 pid=9980 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1341392755.939:42): avc:  denied  { read } for  pid=9980 comm="tgtd" name="loop-disk-1-1" dev=dm-0 ino=174084 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file


Expected results:
tgtd should start without any problem.

Additional info:
There is one workaround that is to add /var/lib/tgtd to tgtd spec file, running:
restorecon -R -v /var/lib/tgtd

If tgtd creates this directory automatically the workaround might not be necessary, and also needs to update the manual to inform the user to create the LUNs under this directory.
Comment 1 RHEL Product and Program Management 2012-07-10 03:01:50 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 2 RHEL Product and Program Management 2012-07-10 21:54:34 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 3 RHEL Product and Program Management 2012-09-07 01:23:29 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 4 Miroslav Grepl 2012-12-20 03:12:58 EST
# matchpathcon /var/lib/tgtd
/var/lib/tgtd	system_u:object_r:tgtd_var_lib_t:s0

tells me the /var/lib/tgtd is mislabeled.

# restorecon -R -v  /var/lib/tgtd

Did you re-create it?


What does

# rpm -qf /var/lib/tgtd
Comment 5 Bruno Goncalves 2012-12-21 03:36:36 EST
What would be the expected return of
# matchpathcon /var/lib/tgtd ?

I don't know if retosrecon has been executed before, but I need to run it once before starting tgtd.


rpm -qf /var/lib/tgtd
file /var/lib/tgtd is not owned by any package
Comment 6 Miroslav Grepl 2012-12-21 05:43:59 EST
Ok, this is a problem. How is this directory created?
Comment 7 Bruno Goncalves 2012-12-21 06:56:00 EST
This directory is created manually as it seems tgtd does not have any place to store the LUN images.
Comment 8 Miroslav Grepl 2013-01-02 02:18:32 EST
(In reply to comment #7)
> This directory is created manually as it seems tgtd does not have any place
> to store the LUN images.

Then the restorecon is needed.

Also this directory should be created by rpm then it gets the correct labeling.
Comment 9 RHEL Product and Program Management 2013-10-14 00:53:30 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.