Bug 904042 - iscsid generates AVC messages when running CHAP test
iscsid generates AVC messages when running CHAP test
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.0
All Linux
medium Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
Bruno Goncalves
: Regression
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-01-25 05:27 EST by Bruno Goncalves
Modified: 2015-02-18 09:52 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-13 07:28:15 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
iscsid policy for selinux (413 bytes, text/plain)
2013-01-25 09:05 EST, Bruno Goncalves
no flags Details

  None (edit)
Description Bruno Goncalves 2013-01-25 05:27:50 EST
Description of problem:
It seems selinux is denying iscsid access to /dev/urandom.
The problem occurs when log in to iscsi portal with CHAP settings.

type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1359109359.611:297): avc:  denied  { read } for  pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Version-Release number of selected component (if applicable):
rpm -q iscsi-initiator-utils
iscsi-initiator-utils-6.2.0.872-19.el7.x86_64

rpm -q selinux-policy
selinux-policy-3.11.1-69.el7.noarch

How reproducible:
100%

Steps to Reproduce:
1.Discovery to iscsi portal using 2 ways CHAP settings

2. Check for AVC error, no error is reported
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR
<no matches>


3.Login to portal
iscsiadm -m node -l



4.Check for AVC error
/usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR
----
time->Fri Jan 25 05:22:39 2013
type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1359109359.611:297): avc:  denied  { read } for  pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file


Expected results:
No AVC message should occur
Comment 1 Bruno Goncalves 2013-01-25 05:29:17 EST
Setting as regression as there is no AVC messages when running on RHEL-6.
Comment 3 Bruno Goncalves 2013-01-25 09:05:03 EST
Created attachment 687479 [details]
iscsid policy for selinux

Using the attached policy seems to fix the problem.
Comment 5 Miroslav Grepl 2013-02-22 06:51:07 EST
It has been added to rawhide.
Comment 6 Bruno Goncalves 2013-03-04 09:27:41 EST
It is still reproducible with selinux-policy-3.11.1-75.el7.

time->Mon Mar  4 04:32:45 2013
type=SYSCALL msg=audit(1362389565.749:321): arch=c000003e syscall=2 success=no exit=-13 a0=44afd4 a1=0 a2=370 a3=5f74756f items=0 ppid=1 pid=11597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1362389565.749:321): avc:  denied  { read } for  pid=11597 comm="iscsid" name="urandom" dev="devtmpfs" ino=5573 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Comment 7 Miroslav Grepl 2013-03-05 03:05:56 EST
Yes, the fix is included in selinux-policy-3.12.1-14.el7.
Comment 8 Bruno Goncalves 2013-03-19 06:11:29 EDT
selinux-policy-3.12.1-18.el7 got a new AVC message, the previous one seems to have been fixed.


time->Mon Mar 18 12:20:01 2013
type=SYSCALL msg=audit(1363623601.404:329): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=0 ppid=4114 pid=4116 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363623601.404:329): avc:  denied  { read } for  pid=4116 comm="tmpwatch" name="tmp" dev="dm-1" ino=134735169 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
Fail: AVC messages found.
Comment 9 Miroslav Grepl 2013-03-20 14:07:14 EDT
What does 

# ls -dZ /tmp /var/tmp
Comment 10 Bruno Goncalves 2013-03-21 07:43:27 EDT
ls -dZ /tmp /var/tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /tmp
drwxrwxrwt. root root system_u:object_r:tmp_t:s0       /var/tmp
Comment 11 Milos Malik 2013-03-27 09:44:58 EDT
Happens on my machine each day:
----
time->Wed Mar 27 03:36:01 2013
type=PATH msg=audit(1364351761.298:29061): item=0 name="." inode=1576201 dev=08:04 mode=041770 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:print_spool_t:s0
type=CWD msg=audit(1364351761.298:29061):  cwd="/var/spool/cups/tmp"
type=SYSCALL msg=audit(1364351761.298:29061): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=1 ppid=9386 pid=9388 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=3493 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1364351761.298:29061): avc:  denied  { read } for  pid=9388 comm="tmpwatch" name="tmp" dev="sda4" ino=1576201 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
----
Comment 12 Miroslav Grepl 2013-03-27 10:14:25 EDT
Does it need only "read"?
Comment 13 Bruno Goncalves 2013-03-27 10:34:11 EDT
During my tests that is the only message that appears.
Comment 14 Milos Malik 2013-04-18 02:53:29 EDT
The AVC mentioned in comment#11 appeared again. Here is the log file:
 * http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2013/04/4056/405626/853396/12002605/TESTOUT.log
Comment 15 Miroslav Grepl 2013-04-18 07:58:22 EDT
Added.
Comment 17 Ludek Smid 2014-06-13 07:28:15 EDT
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.