Bug 1244057

Summary: SELinux is preventing /usr/sbin/kexec from 'read' accesses on the file /boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64.
Product: [Fedora] Fedora Reporter: William Brown <william>
Component: systemdAssignee: Jan Synacek <jsynacek>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: bugzilla, dominick.grift, dwalsh, jfilak, johannbg, jsynacek, lnie, lnykryn, lvrabec, mgrepl, msekleta, nalimilan, plautrba, ruyang, smitas.ernestas, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:5e0414bbb66c16dd4dd0a3f1b1982383c31df2dde7f00b0ae73068fbc6c260fe
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 15:23:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1247017    
Bug Blocks:    

Description William Brown 2015-07-17 01:42:07 UTC 
Description of problem:
I have enabled kdump on my system, and I am using a locally fedpkg built kernel.
SELinux is preventing /usr/sbin/kexec from 'read' accesses on the file /boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64 default label should be boot_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that kexec should be allowed read access on the vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep kexec /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:modules_object_t:s0
Target Objects                /boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64
                              [ file ]
Source                        kexec
Source Path                   /usr/sbin/kexec
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           kexec-tools-2.0.8-8.fc22.x86_64
Target RPM Packages           kernel-core-4.2.0-0.rc0.git1.1.local.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-128.4.fc22.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              4.2.0-0.rc0.git1.1.local.fc23.x86_64 #1 SMP Thu
                              Jul 9 08:40:29 ACST 2015 x86_64 x86_64
Alert Count                   14
First Seen                    2015-07-09 10:20:50 ACST
Last Seen                     2015-07-17 11:03:15 ACST
Local ID                      d907aa73-9912-4a7a-bd85-ccc60f19666a

Raw Audit Messages
type=AVC msg=audit(1437096795.895:276): avc:  denied  { read } for  pid=2572 comm="kexec" name="vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64" dev="sda2" ino=157 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1437096795.895:276): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff63eb5f55 a1=0 a2=7f17c8d63770 a3=691 items=0 ppid=1397 pid=2572 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=kexec exe=/usr/sbin/kexec subj=system_u:system_r:kdump_t:s0 key=(null)

Hash: kexec,kdump_t,modules_object_t,file,read

Version-Release number of selected component:
selinux-policy-3.13.1-128.4.fc22.noarch

Additional info:
reporter:       libreport-2.6.0
hashmarkername: setroubleshoot
kernel:         4.2.0-0.rc0.git1.1.local.fc23.x86_64
type:           libreport
Comment 1 Baoquan He 2015-11-06 07:49:16 UTC 
*** Bug 1278288 has been marked as a duplicate of this bug. ***
Comment 2 Lukas Vrabec 2015-11-20 15:04:12 UTC 
Until the fix from #1247017 is not applied you can follow this step:

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64 default label should be boot_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /boot/vmlinuz-4.2.0-0.rc0.git1.1.local.fc23.x86_64

Could systemd guys merge this patch to f22 branch? 
http://pkgs.fedoraproject.org/cgit/systemd.git/commit/?id=d4f265678413c7656d78074af12ec7f083b50aac 

Thank you
Comment 3 Dave Young 2016-01-18 05:52:01 UTC 
*** Bug 1298214 has been marked as a duplicate of this bug. ***
Comment 4 Lennart Poettering 2016-02-10 14:34:59 UTC 
*** Bug 1247017 has been marked as a duplicate of this bug. ***
Comment 5 Lennart Poettering 2016-02-10 15:53:02 UTC 
*** Bug 1305284 has been marked as a duplicate of this bug. ***
Comment 6 Fedora Update System 2016-02-12 06:39:33 UTC 
systemd-222-15.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea18762698
Comment 7 Fedora Update System 2016-02-12 06:39:34 UTC 
systemd-219-28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-04b6975be9
Comment 8 Fedora Update System 2016-02-15 04:53:13 UTC 
systemd-219-28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-04b6975be9
Comment 9 Fedora Update System 2016-02-15 05:24:59 UTC 
systemd-222-15.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea18762698
Comment 10 Fedora End Of Life 2016-07-19 15:23:28 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.