* [PATCH 0/1] Fix SELinux denials against target driver
@ 2024-02-15 10:35 Maurizio Lombardi
2024-02-15 10:35 ` [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module Maurizio Lombardi
0 siblings, 1 reply; 3+ messages in thread
From: Maurizio Lombardi @ 2024-02-15 10:35 UTC (permalink / raw)
To: michael.christie
Cc: d.bogdanov, target-devel, martin.petersen, linux-scsi, james.bottomley
Steps to reproduce:
1) install the ibacm, rdma-core and targetcli
2) service ibacm start (ignore the errors)
3) Look at the dmesg, you will see an error message like
"db_root: cannot open: /etc/target"
4) Execute $ sudo ausearch -m AVC,USER_AVC -ts recent
type=AVC msg=audit(1707990698.893:610): avc: denied { read } for pid=26447
comm="systemd-modules" name="target" dev="dm-0" ino=973050 scontext=system_u:system_r:systemd_modules_load_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0
Fix inspired by commit 581dd69830341d299b0c097fc366097ab497d679
Maurizio Lombardi (1):
target: fix selinux error when systemd-modules loads the target module
drivers/target/target_core_configfs.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--
2.39.3
^ permalink raw reply [flat|nested] 3+ messages in thread
* [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module
2024-02-15 10:35 [PATCH 0/1] Fix SELinux denials against target driver Maurizio Lombardi
@ 2024-02-15 10:35 ` Maurizio Lombardi
2024-02-15 14:26 ` Maurizio Lombardi
0 siblings, 1 reply; 3+ messages in thread
From: Maurizio Lombardi @ 2024-02-15 10:35 UTC (permalink / raw)
To: michael.christie
Cc: d.bogdanov, target-devel, martin.petersen, linux-scsi, james.bottomley
If the systemd-modules service loads the target module, the credentials
of that userspace process will be used to validate the access to the
target db directory.
selinux will prevent it, reporting an error like the following:
kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read }
for pid=1020 comm="systemd-modules" name="target" dev="dm-3"
ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0
Fix the error by using the kernel credentials to access the db directory
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
---
drivers/target/target_core_configfs.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index a5f58988130a..26c6f1cac677 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3656,6 +3656,8 @@ static int __init target_core_init_configfs(void)
{
struct configfs_subsystem *subsys = &target_core_fabrics;
struct t10_alua_lu_gp *lu_gp;
+ struct cred *kern_cred;
+ const struct cred *old_cred;
int ret;
pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage"
@@ -3732,7 +3734,16 @@ static int __init target_core_init_configfs(void)
if (ret < 0)
goto out;
+ /* We use the kernel credentials to access the target directory */
+ kern_cred = prepare_kernel_cred(&init_task);
+ if (!kern_cred) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ old_cred = override_creds(kern_cred);
target_init_dbroot();
+ revert_creds(old_cred);
+ put_cred(kern_cred);
return 0;
--
2.39.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module
2024-02-15 10:35 ` [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module Maurizio Lombardi
@ 2024-02-15 14:26 ` Maurizio Lombardi
0 siblings, 0 replies; 3+ messages in thread
From: Maurizio Lombardi @ 2024-02-15 14:26 UTC (permalink / raw)
To: michael.christie
Cc: d.bogdanov, target-devel, martin.petersen, linux-scsi, james.bottomley
čt 15. 2. 2024 v 11:43 odesílatel Maurizio Lombardi
<mlombard@redhat.com> napsal:
> + /* We use the kernel credentials to access the target directory */
> + kern_cred = prepare_kernel_cred(&init_task);
> + if (!kern_cred) {
> + ret = -ENOMEM;
> + goto out;
> + }
> + old_cred = override_creds(kern_cred);
> target_init_dbroot();
> + revert_creds(old_cred);
> + put_cred(kern_cred);
>
>
I've noticed there is a leak in the error path, I am sending a v2
Maurizio
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-15 14:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-02-15 10:35 [PATCH 0/1] Fix SELinux denials against target driver Maurizio Lombardi
2024-02-15 10:35 ` [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module Maurizio Lombardi
2024-02-15 14:26 ` Maurizio Lombardi
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).