Understanding SELinux with iSCSI
SELinux modes:
-
enforcing- SELinux policy is enforced (recommended for production) -
permissive- SELinux logs violations but doesn't block (testing) -
disabled- SELinux is disabled (not recommended)
Check SELinux status:
getenforce
sestatus
SELinux Policies for iSCSI
Allow iSCSI connections:
# iSCSI should work out-of-the-box with default policies
# Check for denials
sudo ausearch -m avc -ts recent | grep iscsi
# If denials found, generate policy
sudo ausearch -m avc -ts recent | audit2allow -M iscsi_policy
# Review the policy
cat iscsi_policy.te
# Install policy
sudo semodule -i iscsi_policy.pp
Port Labeling
Label iSCSI port (if needed):
# Check current port labels
sudo semanage port -l | grep iscsi
# Add custom port if using non-standard port
sudo semanage port -a -t iscsi_port_t -p tcp 3260
Issue: iSCSI connections blocked
# Check for denials
sudo ausearch -m avc -ts recent
# Temporary: Set to permissive for testing
sudo setenforce 0
# Test iSCSI connection
sudo iscsiadm -m discovery -t sendtargets -p <portal_ip>:3260
# Check for new denials
sudo ausearch -m avc -ts recent
# Generate and install policy
sudo ausearch -m avc -ts recent | audit2allow -M iscsi_fix
sudo semodule -i iscsi_fix.pp
# Re-enable enforcing
sudo setenforce 1
Common SELinux Issues
Issue: Multipath device access denied
# Allow multipath to access devices
sudo setsebool -P virt_use_rawio 1
# Or create custom policy
sudo ausearch -m avc -ts recent | grep multipath | audit2allow -M multipath_iscsi
sudo semodule -i multipath_iscsi.pp
-
Never disable SELinux in production
- Use permissive mode for troubleshooting only
- Always create proper policies
-
Monitor audit logs regularly
sudo ausearch -m avc -ts today -
Use booleans when available
bash # List iSCSI-related booleans sudo getsebool -a | grep iscsi -
Document custom policies
- Keep .te files in version control
- Document why each policy was needed