Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1055734 - Allow NetworkManager to talk to /usr/sbin/iscsiadm
Summary: Allow NetworkManager to talk to /usr/sbin/iscsiadm
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks: 1026777
TreeView+ depends on / blocked
 
Reported: 2014-01-20 20:23 UTC by Dan Williams
Modified: 2014-12-08 09:51 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.12.1-121.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 13:13:19 UTC


Attachments (Terms of Use)

Description Dan Williams 2014-01-20 20:23:35 UTC
NetworkManager calls /usr/sbin/iscsiadm to read existing interface configuration for network interfaces that are configured with iBFT.  It looks like NM is not able to do that under some circumstances:

21:20:07,644 NOTICE kernel:[   58.310200] type=1400 audit(1385328007.643:14): avc:  denied  { execute } for  pid=1576 comm="NetworkManager" name="iscsiadm" dev="dm-0" ino=90294 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iscsid_exec_t:s0 tclass=file
21:20:07,644 NOTICE kernel:[   58.310235] type=1400 audit(1385328007.643:15): avc:  denied  { read open } for  pid=1576 comm="NetworkManager" path="/usr/sbin/iscsiadm" dev="dm-0" ino=90294 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iscsid_exec_t:s0 tclass=file
21:20:07,644 NOTICE kernel:[   58.310421] type=1400 audit(1385328007.643:16): avc:  denied  { execute_no_trans } for  pid=1576 comm="NetworkManager" path="/usr/sbin/iscsiadm" dev="dm-0" ino=90294 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:iscsid_exec_t:s0 tclass=file
21:20:07,723 NOTICE kernel:[   58.389502] type=1400 audit(1385328007.722:17): avc:  denied  { getattr } for  pid=1576 comm="iscsiadm" path="/etc/modprobe.d" dev="dm-0" ino=73756 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
21:20:07,723 NOTICE kernel:[   58.389539] type=1400 audit(1385328007.722:18): avc:  denied  { read } for  pid=1576 comm="iscsiadm" name="modprobe.d" dev="dm-0" ino=73756 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
21:20:07,723 NOTICE kernel:[   58.389562] type=1400 audit(1385328007.722:19): avc:  denied  { open } for  pid=1576 comm="iscsiadm" path="/etc/modprobe.d" dev="dm-0" ino=73756 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=dir
21:20:07,723 NOTICE kernel:[   58.389679] type=1400 audit(1385328007.722:20): avc:  denied  { getattr } for  pid=1576 comm="iscsiadm" path="/etc/modprobe.d/libmlx4.conf" dev="dm-0" ino=73757 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
21:20:07,724 NOTICE kernel:[   58.390027] type=1400 audit(1385328007.723:21): avc:  denied  { read } for  pid=1576 comm="iscsiadm" name="libmlx4.conf" dev="dm-0" ino=73757 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
21:20:07,724 NOTICE kernel:[   58.390048] type=1400 audit(1385328007.723:22): avc:  denied  { open } for  pid=1576 comm="iscsiadm" path="/etc/modprobe.d/libmlx4.conf" dev="dm-0" ino=73757 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file
21:20:07,724 NOTICE kernel:[   58.390295] type=1400 audit(1385328007.723:23): avc:  denied  { search } for  pid=1576 comm="iscsiadm" name="modules" dev="dm-0" ino=66197 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=dir

(Fedora probably needs the same changes too...)

Thanks!

Comment 2 Miroslav Grepl 2014-01-27 11:34:36 UTC
commit 670768578b3b1d2a71acac1511ff4566f7028b2a
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Mon Jan 27 12:33:58 2014 +0100

    Allow NM domtrans to iscsid_t if iscsiadm is executed

Comment 4 Ludek Smid 2014-06-13 13:13:19 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.