983601 – selinux: tgtd fails to start using pass-through with bs-type SG

Bug 983601 - selinux: tgtd fails to start using pass-through with bs-type SG

Summary: selinux: tgtd fails to start using pass-through with bs-type SG

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.5
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Bruno Goncalves
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-11 14:25 UTC by Bruno Goncalves
Modified:	2013-11-21 10:45 UTC (History)
CC List:	3 users (show)
Fixed In Version:	selinux-policy-3.7.19-210.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-21 10:45:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2013:1598	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2013-11-20 21:39:24 UTC

Description Bruno Goncalves 2013-07-11 14:25:27 UTC

Description of problem:
tgtd service does not start when it is configured with pass-through with bs-type SG.


Version-Release number of selected component (if applicable):

selinux-policy-3.7.19-195.el6.noarch

rpm -q scsi-target-utils
scsi-target-utils-1.0.24-3.el6_4.x86_64


How reproducible:
100%

Steps to Reproduce:
1.create a scsi device using scsi_debug
modprobe scsi_debug

2.Check for its sgX device
 lsscsi -g
[73:0:0:0]   disk    Linux    scsi_debug       0004  /dev/sda   /dev/sg0

3.Configure tgtd to use the device
cat /etc/tgt/targets.conf

default-driver iscsi
<target iqn.2009-10.com.redhat:storage-1>
    write-cache off
    allow-in-use yes
    <backing-store /dev/sg0>
        bs-type sg
        device-type pt
    </backing-store>
</target>

4. start tgtd

service tgtd restart
Stopping SCSI target daemon:                               [  OK  ]
Starting SCSI target daemon:                               [  OK  ]
tgtadm: invalid request
Command:
	tgtadm -C 0 --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sg0 --device-type pt --bstype sg 
exited with code: 22.



Expected results:
Service should start properly

Additional info:
The following selinux policy seems to fix it

cat mypol.te

module mypol 1.0;

require {
	type tgtd_t;
	type scsi_generic_device_t;
	class capability { sys_rawio sys_admin };
	class chr_file { read write getattr open ioctl };
}

#============= tgtd_t ==============
#!!!! The source type 'tgtd_t' can write to a 'chr_file' of the following types:
# initrc_devpts_t, null_device_t, zero_device_t, devtty_t, fixed_disk_device_t, devpts_t, ptynode, ttynode, tty_device_t

allow tgtd_t scsi_generic_device_t:chr_file { read write getattr open ioctl };
allow tgtd_t self:capability { sys_rawio sys_admin };

Comment 1 Miroslav Grepl 2013-07-11 14:43:16 UTC

I added fixes to Fedora. Will back port them.

Comment 2 Milos Malik 2013-07-12 09:16:02 UTC

The only AVC caught in enforcing mode:
----
time->Fri Jul 12 05:14:29 2013
type=PATH msg=audit(1373620469.595:88): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0
type=CWD msg=audit(1373620469.595:88):  cwd="/"
type=SYSCALL msg=audit(1373620469.595:88): arch=40000003 syscall=195 success=no exit=-13 a0=839dd88 a1=bfd792ec a2=c10ff4 a3=3 items=1 ppid=1 pid=2885 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1373620469.595:88): avc:  denied  { getattr } for  pid=2885 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
----

Comment 3 Milos Malik 2013-07-12 09:19:21 UTC

AVCs caught in permissive mode:
----
time->Fri Jul 12 05:15:04 2013
type=PATH msg=audit(1373620504.687:91): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0
type=CWD msg=audit(1373620504.687:91):  cwd="/"
type=SYSCALL msg=audit(1373620504.687:91): arch=40000003 syscall=5 success=yes exit=11 a0=8b0bd88 a1=2 a2=bfb47b48 a3=15 items=1 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1373620504.687:91): avc:  denied  { sys_rawio } for  pid=2915 comm="tgtd" capability=17  scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability
type=AVC msg=audit(1373620504.687:91): avc:  denied  { open } for  pid=2915 comm="tgtd" name="sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
type=AVC msg=audit(1373620504.687:91): avc:  denied  { read write } for  pid=2915 comm="tgtd" name="sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
----
time->Fri Jul 12 05:15:04 2013
type=PATH msg=audit(1373620504.687:90): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0
type=CWD msg=audit(1373620504.687:90):  cwd="/"
type=SYSCALL msg=audit(1373620504.687:90): arch=40000003 syscall=195 success=yes exit=0 a0=8b0bd88 a1=bfb47aac a2=b24ff4 a3=3 items=1 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1373620504.687:90): avc:  denied  { getattr } for  pid=2915 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
----
time->Fri Jul 12 05:15:04 2013
type=SYSCALL msg=audit(1373620504.688:92): arch=40000003 syscall=54 success=yes exit=0 a0=b a1=2282 a2=bfb47c0c a3=b items=0 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null)
type=AVC msg=audit(1373620504.688:92): avc:  denied  { ioctl } for  pid=2915 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file
----

Comment 4 Miroslav Grepl 2013-08-06 06:27:41 UTC

Back ported from Fedora.

Comment 6 Bruno Goncalves 2013-08-20 16:01:32 UTC

Reproduced failure with:
rpm -q selinux-policy
selinux-policy-3.7.19-195.el6.noarch


Verified fix with:
rpm -q selinux-policy
selinux-policy-3.7.19-211.el6.noarch

Comment 7 errata-xmlrpc 2013-11-21 10:45:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html

Note You need to log in before you can comment on or make changes to this bug.