tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

scsi: target: Fix SELinux error when systemd-modules loads the target module

If the systemd-modules service loads the target module, the credentials of
that userspace process will be used to validate the access to the target db
directory. SELinux will prevent it, reporting an error like the following:

kernel: audit: type=1400 audit(1676301082.205:4): avc: denied { read }
for pid=1020 comm="systemd-modules" name="target" dev="dm-3"
ino=4657583 scontext=system_u:system_r:systemd_modules_load_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=0

Fix the error by using the kernel credentials to access the db directory

Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Link: https://lore.kernel.org/r/20240215143944.847184-2-mlombard@redhat.com
Reviewed-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>

authored by

Maurizio Lombardi and committed by
Martin K. Petersen 97a54ef5 d4e655c4

+12
+12
drivers/target/target_core_configfs.c
··· 3672 3672 { 3673 3673 struct configfs_subsystem *subsys = &target_core_fabrics; 3674 3674 struct t10_alua_lu_gp *lu_gp; 3675 + struct cred *kern_cred; 3676 + const struct cred *old_cred; 3675 3677 int ret; 3676 3678 3677 3679 pr_debug("TARGET_CORE[0]: Loading Generic Kernel Storage" ··· 3750 3748 if (ret < 0) 3751 3749 goto out; 3752 3750 3751 + /* We use the kernel credentials to access the target directory */ 3752 + kern_cred = prepare_kernel_cred(&init_task); 3753 + if (!kern_cred) { 3754 + ret = -ENOMEM; 3755 + goto out; 3756 + } 3757 + old_cred = override_creds(kern_cred); 3753 3758 target_init_dbroot(); 3759 + revert_creds(old_cred); 3760 + put_cred(kern_cred); 3754 3761 3755 3762 return 0; 3756 3763 3757 3764 out: 3765 + target_xcopy_release_pt(); 3758 3766 configfs_unregister_subsystem(subsys); 3759 3767 core_dev_release_virtual_lun0(); 3760 3768 rd_module_exit();