209854 – selinux policy tweaks for iscsi

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 209854 - selinux policy tweaks for iscsi

Summary: selinux policy tweaks for iscsi

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	FC6Blocker
TreeView+	depends on / blocked

Reported:	2006-10-06 22:28 UTC by Jeremy Katz
Modified:	2007-11-30 22:11 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-10-12 16:02:29 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Test fix for iscsi AVC issues (deleted) 2006-10-10 20:32 UTC, James Antill	no flags	Details \| Diff
Better fix for iscsi selinux policy (deleted) 2006-10-10 20:48 UTC, James Antill	no flags	Details \| Diff
iscsi fix with correct .fc types . (deleted) 2006-10-10 22:19 UTC, James Antill	no flags	Details \| Diff
Show Obsolete (2) View All

Description Jeremy Katz 2006-10-06 22:28:06 UTC

Policy for iscsi needs to allow a few more things --
allow iscsid_t self:netlink_route_socket create;
allow iscsid_t port_t:tcp_socket name_connect;
allow iscsid_t var_lock_t:dir search;
allow iscsid_t self:netlink_socket read;

I expect that writing to netlink sockets is probably also needed, but haven't
hit that yet :-)

Comment 1 Mike Christie 2006-10-06 22:43:54 UTC

Can you send me a link to some good selinux docs?

I think I have been stuck on some selinux iscsi policy bug. Do I need to write
something about what files iscsid or /etc/init.d/iscsi accesses? If I run
without selinx it works but with selinux I get weird errors where the app cannot
read files or access dirs.

Comment 2 Daniel Walsh 2006-10-07 10:37:48 UTC

boot the machine with enforcing=0 and then collect the avc messages that are
generated in /var/log/messages or /var/log/audit/audit.log

Attach them here and I will update the policy.  You can look at
http://fedoraproject.org/wiki/SELinux
for lots of info on SELinux

Jeremy which port is iscsid trying to connect to?

Comment 3 Jeremy Katz 2006-10-09 14:46:06 UTC

(Adding jantill to the cc list since dwalsh is in New Orleans this week, IIRC)

The default port to connect to is 3260 -- conceivably, there could be others but
I think that falls into the category of "you need to tweak policy yourself" 

More full and annotated set of things being needed when it's not 6 pm on Friday...

allow iscsid_t self:capability dac_override;
  Hrmm, not sure what this is actually for

allow iscsid_t self:netlink_route_socket { bind create getattr nlmsg_read read
write };
allow iscsid_t self:netlink_socket { read write };
  Tool<->kernel communication; definitely needed

allow iscsid_t self:unix_stream_socket connectto;
  Tool<->userspace daemon connection

allow iscsid_t port_t:tcp_socket name_connect;
  Connecting to remote iscsi target on port 3260

allow iscsid_t var_lib_t:dir search;
allow iscsid_t var_lib_t:file { getattr read };
  Uses /var/lib/iscsi for lots of state storage

allow iscsid_t var_lock_t:dir { add_name remove_name search write };
allow iscsid_t var_lock_t:file { create link unlink };
  Lockfile in /var/lock/iscsi.

Comment 4 James Antill 2006-10-10 20:32:59 UTC

Created attachment 138191 [details]
Test fix for iscsi AVC issues

 I think this should do it. I'll upload srpms soon.

Comment 5 James Antill 2006-10-10 20:48:45 UTC

Created attachment 138193 [details]
Better fix for iscsi selinux policy

 Better fix (actually compiles now :).
 RPMS are at:

http://people.redhat.com/jantill/sel-policy

Comment 6 Jeremy Katz 2006-10-10 21:49:37 UTC

1:selinux-policy-targeted########################################### [100%]
audit(1160516835.092:34): policy loaded auid=4294967295
libsepol.context_from_record: type iscsi_var_lock_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert
system_u:object_r:iscsi_var_lock_t:s0 to sid
/etc/selinux/targeted/contexts/files/file_contexts:  line 714 has invalid
context system_u:object_r:iscsi_var_lock_t:s0
libsemanage.semanage_install_active: setfiles returned error code 1.
audit(1160516839.316:35): policy loaded auid=4294967295
semodule:  Failed!

Comment 7 James Antill 2006-10-10 22:19:19 UTC

Created attachment 138200 [details]
iscsi fix with correct .fc types .

 Damn. I forgot to change that to iscsi_lock_t for the .fc file.

Comment 8 Jeremy Katz 2006-10-11 15:51:09 UTC

Still missing these two... let's get htem in and build into dist-fc6-HEAD

allow iscsid_t self:capability dac_override;
allow iscsid_t port_t:tcp_socket name_connect;

Comment 9 Jeremy Katz 2006-10-12 16:02:29 UTC

Built and tested.  looks good, thanks!

Note You need to log in before you can comment on or make changes to this bug.