Bug 1044299

Summary: system-config-kdump: Handling services error
Product: Red Hat Enterprise Linux 7 Reporter: Qiao Zhao <qzhao>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: bugproxy, chorn, dwalsh, hannsj_uhl, jkachuck, lnykryn, mmalik, mmilata, peter.pols, qcai, rvokal, systemd-maint-list
Target Milestone: rcKeywords: TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-134.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 10:08:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1056008    
Bug Blocks: 717946, 744225, 860099, 1035351, 1035360, 1049106, 1049170, 1050219, 1050845, 1055488, 1055830, 1057960, 1062567, 1062801, 1063932, 1066200, 1067873, 1069502, 1070517, 1070921, 1073810    
Attachments:
Description Flags
system-config-kdump error
none
sos report
none
screenshot none

Description Qiao Zhao 2013-12-18 03:56:02 UTC 
Created attachment 838105 [details]
system-config-kdump error

Description of problem:
system-config-kdump reminder "Handing services error" after click Apply button when change crashkernel size by Basic Settings.


Version-Release number of selected component (if applicable):
system-config-kdump-2.0.13-3.el7
kexec-tools-2.0.4-14.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install system-config-kdump and start system-config-kdump
2. change "New kdump Memory" by manual
3. click Apply button

Actual results:
remind system-config-kdump: Handling services error

Expected results:
Apply normal

Additional info:
Comment 4 Martin Milata 2014-01-20 22:26:29 UTC 
I'm able to reproduce this bug in RHEL7 beta. The issue disappears with SELinux switched to permissive mode. I suspect that this is caused by bug#1022762 and bug#1035360, the same AVCs can be seen in audit.log.
Comment 5 Martin Milata 2014-01-21 11:27:13 UTC 
Switching to selinux-policy component.

policy version: selinux-policy-3.12.1-118.el7.noarch

AVC (similar to bug#1022762):
type=USER_AVC msg=audit(1390303008.005:712): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Comment 6 Miroslav Grepl 2014-01-21 12:15:56 UTC 
Yes, it needs to be fixed in the systemd.
Comment 7 Lukáš Nykrýn 2014-01-23 15:18:46 UTC 
This one is probably clone of https://bugzilla.redhat.com/show_bug.cgi?id=1056008
Comment 8 Martin Milata 2014-01-28 13:06:04 UTC 
*** Bug 1058697 has been marked as a duplicate of this bug. ***
Comment 9 Martin Milata 2014-02-17 18:17:33 UTC 
Even with the systemd fix (#1056008), the issue still persists.

With systemd-208-4.el7, I'm getting slightly different USER_AVC:

type=USER_AVC msg=audit(1392660188.972:385): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=-1 uid=0 gid=0 path="system" scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Doesn't the policy need to be changed too, as suggested in bug #1035360?
Comment 10 Miroslav Grepl 2014-02-18 10:29:29 UTC 
It does not make sense to do this check on the "system" class.
Comment 11 Milos Malik 2014-02-20 08:25:27 UTC 
Caught in enforcing mode:
----
type=PATH msg=audit(02/20/2014 09:22:11.940:14628) : item=0 name=/dev/sr0 inode=9941 dev=00:05 mode=block,660 ouid=root ogid=cdrom rdev=0b:00 obj=system_u:object_r:removable_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/20/2014 09:22:11.940:14628) :  cwd=/ 
type=SYSCALL msg=audit(02/20/2014 09:22:11.940:14628) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7896e0 a1=O_RDONLY|O_CLOEXEC a2=0x0 a3=0x0 items=1 ppid=1713 pid=1715 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grubby exe=/usr/sbin/grubby subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/20/2014 09:22:11.940:14628) : avc:  denied  { read } for  pid=1715 comm=grubby name=sr0 dev="devtmpfs" ino=9941 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file 
----
type=USER_AVC msg=audit(02/20/2014 09:23:07.937:14632) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
Comment 12 Milos Malik 2014-02-20 09:07:32 UTC 
Caught in permissive mode:
----
type=USER_AVC msg=audit(02/20/2014 10:06:07.061:14878) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(02/20/2014 10:06:07.062:14879) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
Comment 14 Miroslav Grepl 2014-02-26 16:03:30 UTC 
*** Bug 1070318 has been marked as a duplicate of this bug. ***
Comment 15 IBM Bug Proxy 2014-02-26 16:11:16 UTC 
Created attachment 868096 [details]
sos report

default comment by bridge
Comment 16 IBM Bug Proxy 2014-02-26 16:11:20 UTC 
Created attachment 868097 [details]
screenshot

default comment by bridge
Comment 18 Lukáš Nykrýn 2014-02-27 16:01:36 UTC 
Ia m not sure what is the proper fix in systemd. I think that maybe the mentioned patch from upstream http://cgit.freedesktop.org/systemd/systemd/commit/?id=4f7385f is wrong, because when the service is not running u = manager_get_unit(m, *i); will just return an error, so we will not get to the selinux_unit_access_check part.
Comment 19 Miroslav Grepl 2014-03-03 19:27:26 UTC 
The problem is it would allow s-c-kdump to enable/disable all services on the system. 

Either we miss a check on

/usr/lib/systemd/system/httpd.service

or we miss additional check on this unit file.
Comment 20 Lukáš Nykrýn 2014-03-04 11:49:15 UTC 
Can you please elaborate this? I am not sure that I follow.
Comment 21 Miroslav Grepl 2014-03-04 12:00:23 UTC 
My point is 

allow kdumpgui_t init_t:system { enable disalbe reload }

could be OK but then we need to have additional check on kdump unit file in this case?

Dan?
Comment 22 Martin Milata 2014-03-05 15:41:39 UTC 
*** Bug 1056008 has been marked as a duplicate of this bug. ***
Comment 23 Miroslav Grepl 2014-03-06 14:47:18 UTC 
Lukáš.
my understanding is we don't do a check for a unit file if there is disable/enable action. Not sure if it can be changed to do this check or we need to add an additional check after

allow kdumpgui_t init_t:system { enable disalbe reload }

is ok and then do a unit file check.

Does it make sense?
Comment 24 Lukáš Nykrýn 2014-03-06 15:35:16 UTC 
I am still not sure what is exactly happening here. It looks to me that kdumpgui is calling enable on some unit, but selinux forbids that.

So from systemd side of a view we should check if some binary is allowed to enable specific unit? Or is this just a question about policy if kdumpgui can enable and disable units?
Comment 25 Miroslav Grepl 2014-03-06 15:45:14 UTC 
(In reply to Lukáš Nykrýn from comment #24)
> I am still not sure what is exactly happening here. It looks to me that
> kdumpgui is calling enable on some unit, but selinux forbids that.

Yes.

s-c-kdump running as kdumpgui_t runs

systemctl enable/disable kdump

so you end with

allow kdumpgui_t init_t:system { enable disable reload }

But it allows s-c-kdump to disable/enable all services on a system.

> So from systemd side of a view we should check if some binary is allowed to
> enable specific unit? Or is this just a question about policy if kdumpgui
> can enable and disable units?

The same way how you check whether it can be started for example.
Comment 26 Martin Milata 2014-03-07 10:33:30 UTC 
*** Bug 1055488 has been marked as a duplicate of this bug. ***
Comment 28 IBM Bug Proxy 2014-03-11 15:33:58 UTC 
------- Comment From brueckner.com 2014-03-11 15:26 EDT-------
*** Bug 105558 has been marked as a duplicate of this bug. ***
Comment 30 Ludek Smid 2014-06-13 10:08:52 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.