Hide Forgot
Description of problem: tgtd service does not start when it is configured with pass-through with bs-type SG. Version-Release number of selected component (if applicable): selinux-policy-3.7.19-195.el6.noarch rpm -q scsi-target-utils scsi-target-utils-1.0.24-3.el6_4.x86_64 How reproducible: 100% Steps to Reproduce: 1.create a scsi device using scsi_debug modprobe scsi_debug 2.Check for its sgX device lsscsi -g [73:0:0:0] disk Linux scsi_debug 0004 /dev/sda /dev/sg0 3.Configure tgtd to use the device cat /etc/tgt/targets.conf default-driver iscsi <target iqn.2009-10.com.redhat:storage-1> write-cache off allow-in-use yes <backing-store /dev/sg0> bs-type sg device-type pt </backing-store> </target> 4. start tgtd service tgtd restart Stopping SCSI target daemon: [ OK ] Starting SCSI target daemon: [ OK ] tgtadm: invalid request Command: tgtadm -C 0 --lld iscsi --op new --mode logicalunit --tid 1 --lun 1 -b /dev/sg0 --device-type pt --bstype sg exited with code: 22. Expected results: Service should start properly Additional info: The following selinux policy seems to fix it cat mypol.te module mypol 1.0; require { type tgtd_t; type scsi_generic_device_t; class capability { sys_rawio sys_admin }; class chr_file { read write getattr open ioctl }; } #============= tgtd_t ============== #!!!! The source type 'tgtd_t' can write to a 'chr_file' of the following types: # initrc_devpts_t, null_device_t, zero_device_t, devtty_t, fixed_disk_device_t, devpts_t, ptynode, ttynode, tty_device_t allow tgtd_t scsi_generic_device_t:chr_file { read write getattr open ioctl }; allow tgtd_t self:capability { sys_rawio sys_admin };
I added fixes to Fedora. Will back port them.
The only AVC caught in enforcing mode: ---- time->Fri Jul 12 05:14:29 2013 type=PATH msg=audit(1373620469.595:88): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0 type=CWD msg=audit(1373620469.595:88): cwd="/" type=SYSCALL msg=audit(1373620469.595:88): arch=40000003 syscall=195 success=no exit=-13 a0=839dd88 a1=bfd792ec a2=c10ff4 a3=3 items=1 ppid=1 pid=2885 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1373620469.595:88): avc: denied { getattr } for pid=2885 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ----
AVCs caught in permissive mode: ---- time->Fri Jul 12 05:15:04 2013 type=PATH msg=audit(1373620504.687:91): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0 type=CWD msg=audit(1373620504.687:91): cwd="/" type=SYSCALL msg=audit(1373620504.687:91): arch=40000003 syscall=5 success=yes exit=11 a0=8b0bd88 a1=2 a2=bfb47b48 a3=15 items=1 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1373620504.687:91): avc: denied { sys_rawio } for pid=2915 comm="tgtd" capability=17 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=unconfined_u:system_r:tgtd_t:s0 tclass=capability type=AVC msg=audit(1373620504.687:91): avc: denied { open } for pid=2915 comm="tgtd" name="sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file type=AVC msg=audit(1373620504.687:91): avc: denied { read write } for pid=2915 comm="tgtd" name="sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ---- time->Fri Jul 12 05:15:04 2013 type=PATH msg=audit(1373620504.687:90): item=0 name="/dev/sg0" inode=10900 dev=00:05 mode=020660 ouid=0 ogid=6 rdev=15:00 obj=system_u:object_r:scsi_generic_device_t:s0 type=CWD msg=audit(1373620504.687:90): cwd="/" type=SYSCALL msg=audit(1373620504.687:90): arch=40000003 syscall=195 success=yes exit=0 a0=8b0bd88 a1=bfb47aac a2=b24ff4 a3=3 items=1 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1373620504.687:90): avc: denied { getattr } for pid=2915 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ---- time->Fri Jul 12 05:15:04 2013 type=SYSCALL msg=audit(1373620504.688:92): arch=40000003 syscall=54 success=yes exit=0 a0=b a1=2282 a2=bfb47c0c a3=b items=0 ppid=1 pid=2915 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5 comm="tgtd" exe="/usr/sbin/tgtd" subj=unconfined_u:system_r:tgtd_t:s0 key=(null) type=AVC msg=audit(1373620504.688:92): avc: denied { ioctl } for pid=2915 comm="tgtd" path="/dev/sg0" dev=devtmpfs ino=10900 scontext=unconfined_u:system_r:tgtd_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file ----
Back ported from Fedora.
Reproduced failure with: rpm -q selinux-policy selinux-policy-3.7.19-195.el6.noarch Verified fix with: rpm -q selinux-policy selinux-policy-3.7.19-211.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html