Thank you.
I'm using Fedora Server 33 and the output of your command is:
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0
This should be fixed soon:
On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <zpytela@redhat.com> wrote:
On Sun, Apr 4, 2021 at 12:56 PM Jason Long <hack3rcon@yahoo.com> wrote:
> Hello,
> I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load:
>
> [root@node3 ~]# systemctl status iscsi.service
> ● iscsi.service - Login and scanning of iSCSI devices
> Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled)
> Active: inactive (dead)
> Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago
> └─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
> Docs: man:iscsiadm(8)
> man:iscsid(8)
>
>
>
>
> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
> Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
> Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
>
>
> SELinux is enabled on my Fedora Server:
>
> # sestatus
> SELinux status: enabled
> SELinuxfs mount: /sys/fs/selinux
> SELinux root directory: /etc/selinux
> Loaded policy name: targeted
> Current mode: enforcing
> Mode from config file: enforcing
> Policy MLS status: enabled
> Policy deny_unknown status: allowed
> Memory protection checking: actual (secure)
> Max kernel policy version: 33
>
> [root@node3 ~]# ps -eZ | grep iscsid_t
> [root@node3 ~]#
>
> And when I looked at the log, then I saw below errors:
>
> # dmesg -H -l err
> [Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
> [ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
> [ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
> [ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
> [ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
> [ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
>
> How can I configure SELinux for an iSCSI Shared Storage?
Hi,
Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is?
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
>
> Thank you.
>
> _______________________________________________
> selinux mailing list -- selinux@lists.fedoraproject.org
> To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>
--
Zdenek Pytela
Security SELinux team
_______________________________________________
selinux mailing list -- selinux@lists.fedoraproject.org
To unsubscribe send an email to selinux-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure