Bug 909857 - tgtd: it is not able to start or stop if it is configured to use iser with selinux
Summary: tgtd: it is not able to start or stop if it is configured to use iser with se...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-02-11 10:28 UTC by Bruno Goncalves
Modified: 2013-11-21 10:15 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 10:15:43 UTC
Target Upstream Version:

Attachments (Terms of Use)
selinux policy (459 bytes, application/octet-stream)
2013-02-11 12:28 UTC, Bruno Goncalves 		no flags Details
updated policy (392 bytes, text/plain)
2013-02-12 08:26 UTC, Bruno Goncalves 		no flags Details
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Bruno Goncalves 2013-02-11 10:28:15 UTC 
Description of problem:

If tgtd is configured with iser driver, tgtd is not able to start nor stop properly.
Disabling selinux seems to solve the problem.


Version-Release number of selected component (if applicable):
rpm -q scsi-target-utils
scsi-target-utils-1.0.24-2.el6.x86_64

rpm -q selinux-policy
selinux-policy-3.7.19-195.el6.noarch

How reproducible:
100%

Steps to Reproduce:
1.ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23710     1  0 05:16 ?        00:00:00 tgtd
root     23711 23710  0 05:16 ?        00:00:00 tgtd
root     23733  9467  0 05:17 pts/0    00:00:00 /bin/grep --color=tty tgtd

2.service tgtd stop
Stopping SCSI target daemon: [  OK  ]


3.ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     10725     1  0 05:07 ?        00:00:00 tgtd
root     10726 10725  0 05:07 ?        00:00:00 tgtd
root     23751  9467  0 05:18 pts/0    00:00:00 /bin/grep --color=tty tgtd


4. service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [  OK  ]
tgtadm: can't find the driver
Command:
	tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1
exited with code: 22.


5. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     10725     1  0 05:07 ?        00:00:00 tgtd
root     10726 10725  0 05:07 ?        00:00:00 tgtd
root     23768     1  0 05:19 ?        00:00:00 tgtd
root     23769 23768  0 05:19 ?        00:00:00 tgtd
root     23779  9467  0 05:19 pts/0    00:00:00 /bin/grep --color=tty tgtd

6. killall -9 tgtd

7. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23785  9467  0 05:20 pts/0    00:00:00 /bin/grep --color=tty tgtd

8. service tgtd start
Starting SCSI target daemon: [  OK  ]
tgtadm: can't find the driver
Command:
	tgtadm -C 0 --lld iser --op new --mode target --tid 1 -T iqn.2009-10.com.redhat:storage-1
exited with code: 22.

9. ps -ef | grep tgtd
root      1057     2  0 04:24 ?        00:00:00 [scsi_tgtd/0]
root      1058     2  0 04:24 ?        00:00:00 [scsi_tgtd/1]
root      1059     2  0 04:24 ?        00:00:00 [scsi_tgtd/2]
root      1060     2  0 04:24 ?        00:00:00 [scsi_tgtd/3]
root     23868     1  0 05:22 ?        00:00:00 tgtd
root     23869 23868  0 05:22 ?        00:00:00 tgtd
root     23879  9467  0 05:22 pts/0    00:00:00 /bin/grep --color=tty tgtd



Additional info:
cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 1
        scsi_id 1
        lun 1
    </backing-store>
</target>
Comment 1 Bruno Goncalves 2013-02-11 12:28:10 UTC 
Created attachment 696053 [details]
selinux policy

the attached policy seems to fix the problem.
Comment 2 Miroslav Grepl 2013-02-11 16:03:49 UTC 
Could you attach AVC msgs to this local policy?
Comment 3 Bruno Goncalves 2013-02-12 08:26:36 UTC 
Created attachment 696401 [details]
updated policy

It seems the previous policy added extra rules. This is an updated one.

type=AVC msg=audit(1360656927.397:253): avc:  denied  { read write } for  pid=2460 comm="tgtd" name="uverbs0" dev=devtmpfs ino=11355 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1360656927.397:253): arch=c000003e syscall=2 success=no exit=-13 a0=10202e0 a1=2 a2=0 a3=18 items=0 ppid=2459 pid=2460 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
Comment 4 Daniel Walsh 2013-02-12 18:02:03 UTC 
What kind of device is uverbs0
Comment 5 Daniel Walsh 2013-02-12 18:03:24 UTC 
fixed_disk_device_t?
Comment 6 Bruno Goncalves 2013-02-13 08:44:04 UTC 
It is infiniband device.

ls -lZ /dev/infiniband/uverbs0 
crw-rw-rw-. root root system_u:object_r:device_t:s0    /dev/infiniband/uverbs0

http://www.kernel.org/doc/Documentation/infiniband/user_verbs.txt
Comment 7 Daniel Walsh 2013-02-15 15:34:02 UTC 
Ok so we should label it fixed_disk_device_t.
Comment 8 Daniel Walsh 2013-02-15 16:05:51 UTC 
semanage fcontext -a -t fixed_disk_device_t -f-b "/dev/infiniband/.*"
semanage fcontext -a -t fixed_disk_device_t -f-c "/dev/infiniband/.*"

Should apply the fixes we have added, and then run

restorecon -R -v /dev/infiniband
Comment 9 Bruno Goncalves 2013-02-18 08:07:54 UTC 
Executing the commands above solved the problem. 
Although how can it be done automatically? Should scsi-target-utils or selinux-policy handle it?
Comment 10 Miroslav Grepl 2013-02-18 09:49:33 UTC 
The udev will take care about labeling if we have the labeling in the policy.
Comment 15 Miroslav Grepl 2013-08-06 12:00:52 UTC 
I back ported tgtd fixes from Fedora.
Comment 17 Bruno Goncalves 2013-08-14 12:43:57 UTC 
Verified fix on rpm -q selinux-policy
selinux-policy-3.7.19-211.el6.noarch

rpm -q scsi-target-utils
scsi-target-utils-1.0.24-2.el6.x86_64

getenforce 
Enforcing


cat /etc/tgt/targets.conf
default-driver iser
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /var/lib/tgtd/loop-disk-1-1>
        scsi_sn 1
        scsi_id 1
        lun 1
    </backing-store>
</target>


service tgtd restart
Stopping SCSI target daemon: not running[FAILED]
Starting SCSI target daemon: [  OK  ]
Comment 18 errata-xmlrpc 2013-11-21 10:15:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html
Note You need to log in before you can comment on or make changes to this bug.