Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 904042

Summary: iscsid generates AVC messages when running CHAP test
Product: Red Hat Enterprise Linux 7 Reporter: Bruno Goncalves <bgoncalv>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Bruno Goncalves <bgoncalv>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: agrover, cleech, mgrepl, mmalik
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 11:28:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
iscsid policy for selinux none

Description Bruno Goncalves 2013-01-25 10:27:50 UTC 
Description of problem:
It seems selinux is denying iscsid access to /dev/urandom.
The problem occurs when log in to iscsi portal with CHAP settings.

type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1359109359.611:297): avc:  denied  { read } for  pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Version-Release number of selected component (if applicable):
rpm -q iscsi-initiator-utils
iscsi-initiator-utils-6.2.0.872-19.el7.x86_64

rpm -q selinux-policy
selinux-policy-3.11.1-69.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1.Discovery to iscsi portal using 2 ways CHAP settings

2. Check for AVC error, no error is reported
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR
<no matches>


3.Login to portal
iscsiadm -m node -l



4.Check for AVC error
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Fri Jan 25 05:22:39 2013
type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1359109359.611:297): avc:  denied  { read } for  pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Expected results:
No AVC message should occur
Comment 1 Bruno Goncalves 2013-01-25 10:29:17 UTC 
Setting as regression as there is no AVC messages when running on RHEL-6.
Comment 3 Bruno Goncalves 2013-01-25 14:05:03 UTC 
Created attachment 687479 [details]
iscsid policy for selinux

Using the attached policy seems to fix the problem.
Comment 5 Miroslav Grepl 2013-02-22 11:51:07 UTC 
It has been added to rawhide.
Comment 6 Bruno Goncalves 2013-03-04 14:27:41 UTC 
It is still reproducible with selinux-policy-3.11.1-75.el7.

time->Mon Mar  4 04:32:45 2013
type=SYSCALL msg=audit(1362389565.749:321): arch=c000003e syscall=2 success=no exit=-13 a0=44afd4 a1=0 a2=370 a3=5f74756f items=0 ppid=1 pid=11597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1362389565.749:321): avc:  denied  { read } for  pid=11597 comm="iscsid" name="urandom" dev="devtmpfs" ino=5573 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Comment 7 Miroslav Grepl 2013-03-05 08:05:56 UTC 
Yes, the fix is included in selinux-policy-3.12.1-14.el7.
Comment 8 Bruno Goncalves 2013-03-19 10:11:29 UTC 
selinux-policy-3.12.1-18.el7 got a new AVC message, the previous one seems to have been fixed.


time->Mon Mar 18 12:20:01 2013
type=SYSCALL msg=audit(1363623601.404:329): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=0 ppid=4114 pid=4116 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363623601.404:329): avc:  denied  { read } for  pid=4116 comm="tmpwatch" name="tmp" dev="dm-1" ino=134735169 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
Fail: AVC messages found.
Comment 9 Miroslav Grepl 2013-03-20 18:07:14 UTC 
What does 

# ls -dZ /tmp /var/tmp
Comment 10 Bruno Goncalves 2013-03-21 11:43:27 UTC 
ls -dZ /tmp /var/tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp
Comment 11 Milos Malik 2013-03-27 13:44:58 UTC 
Happens on my machine each day:
----
time->Wed Mar 27 03:36:01 2013
type=PATH msg=audit(1364351761.298:29061): item=0 name="." inode=1576201 dev=08:04 mode=041770 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:print_spool_t:s0
type=CWD msg=audit(1364351761.298:29061):  cwd="/var/spool/cups/tmp"
type=SYSCALL msg=audit(1364351761.298:29061): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=1 ppid=9386 pid=9388 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=3493 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1364351761.298:29061): avc:  denied  { read } for  pid=9388 comm="tmpwatch" name="tmp" dev="sda4" ino=1576201 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
----
Comment 12 Miroslav Grepl 2013-03-27 14:14:25 UTC 
Does it need only "read"?
Comment 13 Bruno Goncalves 2013-03-27 14:34:11 UTC 
During my tests that is the only message that appears.
Comment 14 Milos Malik 2013-04-18 06:53:29 UTC 
The AVC mentioned in comment#11 appeared again. Here is the log file:
 * http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2013/04/4056/405626/853396/12002605/TESTOUT.log
Comment 15 Miroslav Grepl 2013-04-18 11:58:22 UTC 
Added.
Comment 17 Ludek Smid 2014-06-13 11:28:15 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.