Hide Forgot
Description of problem: If tgtd is configured with iser driver, tgtd is not able to start nor stop properly. Disabling selinux seems to solve the problem. Version-Release number of selected component (if applicable): rpm -q scsi-target-utils scsi-target-utils-1.0.24-2.el6.x86_64 rpm -q selinux-policy selinux-policy-3.7.19-195.el6.noarch How reproducible: 100% Steps to Reproduce: 1.ps -ef | grep tgtd root 1057 2 0 04:24 ? 00:00:00 [scsi_tgtd/0] root 1058 2 0 04:24 ? 00:00:00 [scsi_tgtd/1] root 1059 2 0 04:24 ? 00:00:00 [scsi_tgtd/2] root 1060 2 0 04:24 ? 00:00:00 [scsi_tgtd/3] root 23710 1 0 05:16 ? 00:00:00 tgtd root 23711 23710 0 05:16 ? 00:00:00 tgtd root 23733 9467 0 05:17 pts/0 00:00:00 /bin/grep --color=tty tgtd 2.service tgtd stop Stopping SCSI target daemon: [ OK ] 3.ps -ef | grep tgtd root 1057 2 0 04:24 ? 00:00:00 [scsi_tgtd/0] root 1058 2 0 04:24 ? 00:00:00 [scsi_tgtd/1] root 1059 2 0 04:24 ? 00:00:00 [scsi_tgtd/2] root 1060 2 0 04:24 ? 00:00:00 [scsi_tgtd/3] root 10725 1 0 05:07 ? 00:00:00 tgtd root 10726 10725 0 05:07 ? 00:00:00 tgtd root 23751 9467 0 05:18 pts/0 00:00:00 /bin/grep --color=tty tgtd 4. service tgtd restart Stopping SCSI target daemon: not running[FAILED] Starting SCSI target daemon: [ OK ] tgtadm: can't find the driver Command: tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1 exited with code: 22. 5. ps -ef | grep tgtd root 1057 2 0 04:24 ? 00:00:00 [scsi_tgtd/0] root 1058 2 0 04:24 ? 00:00:00 [scsi_tgtd/1] root 1059 2 0 04:24 ? 00:00:00 [scsi_tgtd/2] root 1060 2 0 04:24 ? 00:00:00 [scsi_tgtd/3] root 10725 1 0 05:07 ? 00:00:00 tgtd root 10726 10725 0 05:07 ? 00:00:00 tgtd root 23768 1 0 05:19 ? 00:00:00 tgtd root 23769 23768 0 05:19 ? 00:00:00 tgtd root 23779 9467 0 05:19 pts/0 00:00:00 /bin/grep --color=tty tgtd 6. killall -9 tgtd 7. ps -ef | grep tgtd root 1057 2 0 04:24 ? 00:00:00 [scsi_tgtd/0] root 1058 2 0 04:24 ? 00:00:00 [scsi_tgtd/1] root 1059 2 0 04:24 ? 00:00:00 [scsi_tgtd/2] root 1060 2 0 04:24 ? 00:00:00 [scsi_tgtd/3] root 23785 9467 0 05:20 pts/0 00:00:00 /bin/grep --color=tty tgtd 8. service tgtd start Starting SCSI target daemon: [ OK ] tgtadm: can't find the driver Command: tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1 exited with code: 22. 9. ps -ef | grep tgtd root 1057 2 0 04:24 ? 00:00:00 [scsi_tgtd/0] root 1058 2 0 04:24 ? 00:00:00 [scsi_tgtd/1] root 1059 2 0 04:24 ? 00:00:00 [scsi_tgtd/2] root 1060 2 0 04:24 ? 00:00:00 [scsi_tgtd/3] root 23868 1 0 05:22 ? 00:00:00 tgtd root 23869 23868 0 05:22 ? 00:00:00 tgtd root 23879 9467 0 05:22 pts/0 00:00:00 /bin/grep --color=tty tgtd Additional info: cat /etc/tgt/targets.conf default-driver iser <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /var/lib/tgtd/loop-disk-1-1> scsi_sn 1 scsi_id 1 lun 1 </backing-store> </target>
Created attachment 696053 [details] selinux policy the attached policy seems to fix the problem.
Could you attach AVC msgs to this local policy?
Created attachment 696401 [details] updated policy It seems the previous policy added extra rules. This is an updated one. type=AVC msg=audit(1360656927.397:253): avc: denied { read write } for pid=2460 comm="tgtd" name="uverbs0" dev=devtmpfs ino=11355 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file type=SYSCALL msg=audit(1360656927.397:253): arch=c000003e syscall=2 success=no exit=-13 a0=10202e0 a1=2 a2=0 a3=18 items=0 ppid=2459 pid=2460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
What kind of device is uverbs0
fixed_disk_device_t?
It is infiniband device. ls -lZ /dev/infiniband/uverbs0 crw-rw-rw-. root root system_u:object_r:device_t:s0 /dev/infiniband/uverbs0 http://www.kernel.org/doc/Documentation/infiniband/user_verbs.txt
Ok so we should label it fixed_disk_device_t.
semanage fcontext -a -t fixed_disk_device_t -f-b "/dev/infiniband/.*" semanage fcontext -a -t fixed_disk_device_t -f-c "/dev/infiniband/.*" Should apply the fixes we have added, and then run restorecon -R -v /dev/infiniband
Executing the commands above solved the problem. Although how can it be done automatically? Should scsi-target-utils or selinux-policy handle it?
The udev will take care about labeling if we have the labeling in the policy.
I back ported tgtd fixes from Fedora.
Verified fix on rpm -q selinux-policy selinux-policy-3.7.19-211.el6.noarch rpm -q scsi-target-utils scsi-target-utils-1.0.24-2.el6.x86_64 getenforce Enforcing cat /etc/tgt/targets.conf default-driver iser <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /var/lib/tgtd/loop-disk-1-1> scsi_sn 1 scsi_id 1 lun 1 </backing-store> </target> service tgtd restart Stopping SCSI target daemon: not running[FAILED] Starting SCSI target daemon: [ OK ]
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html