[PATCH 0/1] Fix SELinux denials against target driver

[PATCH 0/1] Fix SELinux denials against target driver

[Maurizio Lombardi]

Steps to reproduce:

1) install the ibacm, rdma-core and targetcli
2) service ibacm start   (ignore the errors)
3) Look at the dmesg, you will see an error message like
   "db_root: cannot open: /etc/target"

4) Execute $ sudo ausearch -m AVC,USER_AVC -ts recent

   type=AVC msg=audit(1707990698.893:610): avc:  denied  { read } for  pid=26447
   comm="systemd-modules" name="target" dev="dm-0" ino=973050 scontext=system_u:system_r:systemd_modules_load_t:s0
   tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0

Fix inspired by commit 581dd69830341d299b0c097fc366097ab497d679

Maurizio Lombardi (1):
  target: fix selinux error when systemd-modules loads the target module

 drivers/target/target_core_configfs.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

-- 
2.39.3

[PATCH 1/1] target: fix selinux error when systemd-modules loads the target module

[Maurizio Lombardi]

If the systemd-modules service loads the target module, the credentials
of that userspace process will be used to validate the access to the
target db directory.
selinux will prevent it, reporting an error like the following:

kernel: audit: type=1400 audit(1676301082.205:4): avc: denied  { read }
for  pid=1020 comm="systemd-modules" name="target" dev="dm-3"
ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0

Fix the error by using the kernel credentials to access the db directory

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
---
 drivers/target/target_core_configfs.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/drivers/target/target_core_configfs.c b/drivers/target/target_core_configfs.c
index a5f58988130a..26c6f1cac677 100644
--- a/drivers/target/target_core_configfs.c
+++ b/drivers/target/target_core_configfs.c
@@ -3656,6 +3656,8 @@ static int __init target_core_init_configfs(void)
 {
 	struct configfs_subsystem *subsys = &target_core_fabrics;
 	struct t10_alua_lu_gp *lu_gp;
+	struct cred *kern_cred;
+	const struct cred *old_cred;
 	int ret;
 
 	pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage"
@@ -3732,7 +3734,16 @@ static int __init target_core_init_configfs(void)
 	if (ret < 0)
 		goto out;
 
+	/* We use the kernel credentials to access the target directory */
+	kern_cred = prepare_kernel_cred(&init_task);
+	if (!kern_cred) {
+		ret = -ENOMEM;
+		goto out;
+	}
+	old_cred = override_creds(kern_cred);
 	target_init_dbroot();
+	revert_creds(old_cred);
+	put_cred(kern_cred);
 
 	return 0;
 
-- 
2.39.3

Re: [PATCH 1/1] target: fix selinux error when systemd-modules loads the target module

[Maurizio Lombardi]

čt 15. 2. 2024 v 11:43 odesílatel Maurizio Lombardi
<mlombard@redhat.com> napsal:
> +       /* We use the kernel credentials to access the target directory */
> +       kern_cred = prepare_kernel_cred(&init_task);
> +       if (!kern_cred) {
> +               ret = -ENOMEM;
> +               goto out;
> +       }
> +       old_cred = override_creds(kern_cred);
>         target_init_dbroot();
> +       revert_creds(old_cred);
> +       put_cred(kern_cred);
>
>

I've noticed there is a leak in the error path, I am sending a v2

Maurizio