Bug 904042
| Summary: | iscsid generates AVC messages when running CHAP test | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Bruno Goncalves <bgoncalv> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Bruno Goncalves <bgoncalv> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | 7.0 | CC: | agrover, cleech, mgrepl, mmalik | ||||
| Target Milestone: | rc | Keywords: | Regression | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2014-06-13 11:28:15 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Setting as regression as there is no AVC messages when running on RHEL-6. Created attachment 687479 [details]
iscsid policy for selinux
Using the attached policy seems to fix the problem.
It has been added to rawhide. It is still reproducible with selinux-policy-3.11.1-75.el7.
time->Mon Mar 4 04:32:45 2013
type=SYSCALL msg=audit(1362389565.749:321): arch=c000003e syscall=2 success=no exit=-13 a0=44afd4 a1=0 a2=370 a3=5f74756f items=0 ppid=1 pid=11597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=unconfined_u:system_r:iscsid_t:s0 key=(null)
type=AVC msg=audit(1362389565.749:321): avc: denied { read } for pid=11597 comm="iscsid" name="urandom" dev="devtmpfs" ino=5573 scontext=unconfined_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file
Yes, the fix is included in selinux-policy-3.12.1-14.el7. selinux-policy-3.12.1-18.el7 got a new AVC message, the previous one seems to have been fixed.
time->Mon Mar 18 12:20:01 2013
type=SYSCALL msg=audit(1363623601.404:329): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=0 ppid=4114 pid=4116 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1363623601.404:329): avc: denied { read } for pid=4116 comm="tmpwatch" name="tmp" dev="dm-1" ino=134735169 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
Fail: AVC messages found.
What does # ls -dZ /tmp /var/tmp ls -dZ /tmp /var/tmp drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /tmp drwxrwxrwt. root root system_u:object_r:tmp_t:s0 /var/tmp Happens on my machine each day:
----
time->Wed Mar 27 03:36:01 2013
type=PATH msg=audit(1364351761.298:29061): item=0 name="." inode=1576201 dev=08:04 mode=041770 ouid=0 ogid=7 rdev=00:00 obj=system_u:object_r:print_spool_t:s0
type=CWD msg=audit(1364351761.298:29061): cwd="/var/spool/cups/tmp"
type=SYSCALL msg=audit(1364351761.298:29061): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=404923 a2=90800 a3=0 items=1 ppid=9386 pid=9388 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=3493 tty=(none) comm="tmpwatch" exe="/usr/sbin/tmpwatch" subj=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1364351761.298:29061): avc: denied { read } for pid=9388 comm="tmpwatch" name="tmp" dev="sda4" ino=1576201 scontext=system_u:system_r:tmpreaper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:print_spool_t:s0 tclass=dir
----
Does it need only "read"? During my tests that is the only message that appears. The AVC mentioned in comment#11 appeared again. Here is the log file: * http://beaker-archive.app.eng.bos.redhat.com/beaker-logs/2013/04/4056/405626/853396/12002605/TESTOUT.log Added. This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request. |
Description of problem: It seems selinux is denying iscsid access to /dev/urandom. The problem occurs when log in to iscsi portal with CHAP settings. type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null) type=AVC msg=audit(1359109359.611:297): avc: denied { read } for pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Version-Release number of selected component (if applicable): rpm -q iscsi-initiator-utils iscsi-initiator-utils-6.2.0.872-19.el7.x86_64 rpm -q selinux-policy selinux-policy-3.11.1-69.el7.noarch How reproducible: 100% Steps to Reproduce: 1.Discovery to iscsi portal using 2 ways CHAP settings 2. Check for AVC error, no error is reported /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR <no matches> 3.Login to portal iscsiadm -m node -l 4.Check for AVC error /usr/bin/env LC_ALL=en_US.UTF-8 /sbin/ausearch -m AVC -m USER_AVC -m SELINUX_ERR ---- time->Fri Jan 25 05:22:39 2013 type=SYSCALL msg=audit(1359109359.611:297): arch=c000003e syscall=2 success=no exit=-13 a0=4492b4 a1=0 a2=330 a3=5f74756f items=0 ppid=1 pid=6332 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4294967295 tty=(none) comm="iscsid" exe="/usr/sbin/iscsid" subj=system_u:system_r:iscsid_t:s0 key=(null) type=AVC msg=audit(1359109359.611:297): avc: denied { read } for pid=6332 comm="iscsid" name="urandom" dev="devtmpfs" ino=1033 scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file Expected results: No AVC message should occur