iscsi.service: Unit cannot be reloaded because it is inactive.

Discussion:

Jason Long

2021-04-04 10:52:30 UTC

Hello,
I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my server then the "iscsi.service" couldn't load:

[***@node3 ~]# systemctl status iscsi.service
● iscsi.service - Login and scanning of iSCSI devices
Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago
└─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
Docs: man:iscsiadm(8)
man:iscsid(8)

Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.

SELinux is enabled on my Fedora Server:

# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33

[***@node3 ~]# ps -eZ | grep iscsid_t
[***@node3 ~]#

And when I looked at the log, then I saw below errors:

# dmesg -H -l err
[Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
[ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
[ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
[ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value

How can I configure SELinux for an iSCSI Shared Storage?

Thank you.
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: ht

Zdenek Pytela

2021-04-06 10:07:04 UTC

Permalink

Post by Jason Long
Hello,
I'm using Fedora Server as an iSCSI Shared Storage. When I rebooted my
â iscsi.service - Login and scanning of iSCSI devices
Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled;
vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s
ago
ââ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
Docs: man:iscsiadm(8)
man:iscsid(8)
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check
resulted in Login and scanning of iSCSI devices being skipped.
Unit cannot be reloaded because it is inactive.
Unit cannot be reloaded because it is inactive.
Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check
resulted in Login and scanning of iSCSI devices being skipped.
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
# dmesg -H -l err
[Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log
message.
[ +9.037994] dev[000000004a7f146c]: Unable to change SE Device
alua_support: alua_support has fixed value
[ +0.000014] dev[000000004a7f146c]: Unable to change SE Device
alua_support: alua_support has fixed value
[ +0.000798] dev[000000004a7f146c]: Unable to change SE Device
pgr_support: pgr_support has fixed value
[ +0.000004] dev[000000004a7f146c]: Unable to change SE Device
pgr_support: pgr_support has fixed value
How can I configure SELinux for an iSCSI Shared Storage?

Hi,

Do you have any indication it was SELinux blocking some access? Can you
look for AVCs in the audit log? Which Fedora version it is?

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Post by Jason Long
Thank you.
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure

--
Zdenek Pytela
Security SELinux team

Jason Long

2021-04-07 15:34:03 UTC

Permalink

Thank you.
I'm using Fedora Server 33 and the output of your command is:

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0

Post by Jason Long
Hello,
● iscsi.service - Login and scanning of iSCSI devices
Loaded: loaded (/usr/lib/systemd/system/iscsi.service; enabled; vendor preset: enabled)
Active: inactive (dead)
Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s ago
└─ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not met
Docs: man:iscsiadm(8)
man:iscsid(8)
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: iscsi.service: Unit cannot be reloaded because it is inactive.
Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check resulted in Login and scanning of iSCSI devices being skipped.
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
# dmesg -H -l err
[Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host log message.
[ +9.037994] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
[ +0.000014] dev[000000004a7f146c]: Unable to change SE Device alua_support: alua_support has fixed value
[ +0.000798] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
[ +0.000004] dev[000000004a7f146c]: Unable to change SE Device pgr_support: pgr_support has fixed value
How can I configure SELinux for an iSCSI Shared Storage?

Hi,

Do you have any indication it was SELinux blocking some access? Can you look for AVCs in the audit log? Which Fedora version it is?

# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Post by Jason Long

Thank you.
_______________________________________________
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

--

Zdenek Pytela
Security SELinux team

_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.org
Do not reply to spam on the

Zdenek Pytela

2021-04-07 16:16:11 UTC

Permalink

Post by Jason Long
Thank you.
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied {
name_bind } for pid=693 comm=unbound-anchor src=61000
scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=udp_socket permissive=0

This should be fixed soon:
https://bugzilla.redhat.com/show_bug.cgi?id=1935101

Post by Jason Long
On Tuesday, April 6, 2021, 02:37:59 PM GMT+4:30, Zdenek Pytela <

vendor preset: enabled)

Post by Jason Long
Active: inactive (dead)
Condition: start condition failed at Sat 2021-04-03 18:49:08 +0430; 2s

ago

Post by Jason Long
ââ ConditionDirectoryNotEmpty=/var/lib/iscsi/nodes was not

met

Post by Jason Long
Docs: man:iscsiadm(8)
man:iscsid(8)
Apr 03 18:39:17 node3.localhost.localdomain systemd[1]: Condition check

resulted in Login and scanning of iSCSI devices being skipped.
Unit cannot be reloaded because it is inactive.
Unit cannot be reloaded because it is inactive.

Post by Jason Long
Apr 03 18:49:08 node3.localhost.localdomain systemd[1]: Condition check

resulted in Login and scanning of iSCSI devices being skipped.

Post by Jason Long
# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
# dmesg -H -l err
[Apr 4 15:05] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host

log message.

Post by Jason Long
[ +0.000009] [drm:vmw_host_log [vmwgfx]] *ERROR* Failed to send host

log message.

Post by Jason Long
[ +9.037994] dev[000000004a7f146c]: Unable to change SE Device

alua_support: alua_support has fixed value

Post by Jason Long
[ +0.000014] dev[000000004a7f146c]: Unable to change SE Device

alua_support: alua_support has fixed value

Post by Jason Long
[ +0.000798] dev[000000004a7f146c]: Unable to change SE Device

pgr_support: pgr_support has fixed value

Post by Jason Long
[ +0.000004] dev[000000004a7f146c]: Unable to change SE Device

pgr_support: pgr_support has fixed value

Post by Jason Long
How can I configure SELinux for an iSCSI Shared Storage?

Hi,
Do you have any indication it was SELinux blocking some access? Can you
look for AVCs in the audit log? Which Fedora version it is?
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today

Post by Jason Long
Thank you.
_______________________________________________

https://docs.fedoraproject.org/en-US/project/code-of-conduct/

Post by Jason Long
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

https://pagure.io/fedora-infrastructure
--
Zdenek Pytela
Security SELinux team
_______________________________________________
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
https://pagure.io/fedora-infrastructure

--
Zdenek Pytela
Security SELinux team

Jason Long

2021-04-07 17:10:35 UTC

Permalink

Thanks.
The problem was that I forgot to open port 3260/tcp on my node1 and node2. I opened that port on my nodes and result is:

Full List of Resources:
* Resource Group: apache:
* httpd_fs (ocf::heartbeat:Filesystem): Started
* httpd_vip (ocf::heartbeat:IPaddr2): Started
* httpd_ser (ocf::heartbeat:apache): Started

Post by Jason Long
Thank you.
# ausearch -i -m avc,user_avc,selinux_err,user_selinux_err -ts today
----
type=AVC msg=audit(04/07/2021 20:00:30.231:144) : avc: denied { name_bind } for pid=693 comm=unbound-anchor src=61000 scontext=system_u:system_r:named_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket permissive=0

This should be fixed soon:
https://bugzilla.redhat.com/show_bug.cgi?id=1935101