Bug 1308511
| Summary: | SELinux is preventing kexec from read access on the file /boot/vmlinuz-4.3.5-300.fc23.x86_64 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 23 | CC: | autarch, cpanceac, dominick.grift, dwalsh, jorti, lvrabec, mgrepl, plautrba |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-08-18 12:35:05 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Can you still reproduce this issue? *** Bug 1306010 has been marked as a duplicate of this bug. *** This issue is fixed, the new kernels are installed with boot_t label, although I'm still unable to use kdump because of bug 1357949 [root@xenon ~]# ls -laZ /boot/ total 310437 dr-xr-xr-x. 6 root root system_u:object_r:boot_t:s0 1024 ago 17 12:31 . dr-xr-xr-x. 19 root root system_u:object_r:root_t:s0 4096 ago 17 16:15 .. -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 175031 jun 24 23:05 config-4.6.3-300.fc24.x86_64 -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 175136 jul 12 14:06 config-4.6.4-301.fc24.x86_64 -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 175125 ago 10 23:24 config-4.6.6-300.fc24.x86_64 drwx------. 5 root root system_u:object_r:dosfs_t:s0 16384 ene 1 1970 efi drwxr-xr-x. 2 root root system_u:object_r:boot_t:s0 3072 jun 14 15:21 extlinux drwxr-xr-x. 3 root root system_u:object_r:boot_t:s0 1024 jul 28 11:28 grub2 -rw-------. 1 root root system_u:object_r:boot_t:s0 52620296 jun 14 19:26 initramfs-0-rescue-6f4deefdde164f4aaedc1e6268b12281.img -rw-------. 1 root root system_u:object_r:boot_t:s0 23078948 jun 30 17:32 initramfs-4.5.7-300.fc24.x86_64kdump.img -rw-------. 1 root root system_u:object_r:boot_t:s0 52871745 jul 12 11:03 initramfs-4.6.3-300.fc24.x86_64.img -rw-------. 1 root root system_u:object_r:boot_t:s0 23106441 jul 11 15:38 initramfs-4.6.3-300.fc24.x86_64kdump.img -rw-------. 1 root root system_u:object_r:boot_t:s0 52871809 jul 20 16:22 initramfs-4.6.4-301.fc24.x86_64.img -rw-------. 1 root root system_u:object_r:boot_t:s0 23107966 jul 20 17:42 initramfs-4.6.4-301.fc24.x86_64kdump.img -rw-------. 1 root root unconfined_u:object_r:boot_t:s0 52888525 ago 17 12:31 initramfs-4.6.6-300.fc24.x86_64.img -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 561684 may 4 05:52 initrd-plymouth.img drwx------. 2 root root system_u:object_r:lost_found_t:s0 12288 jun 14 19:20 lost+found -rw-------. 1 root root system_u:object_r:system_map_t:s0 3333457 jun 24 23:05 System.map-4.6.3-300.fc24.x86_64 -rw-------. 1 root root system_u:object_r:system_map_t:s0 3336903 jul 12 14:06 System.map-4.6.4-301.fc24.x86_64 -rw-------. 1 root root system_u:object_r:system_map_t:s0 3337575 ago 10 23:24 System.map-4.6.6-300.fc24.x86_64 -rwxr-xr-x. 1 root root system_u:object_r:boot_t:s0 6277560 jun 14 19:26 vmlinuz-0-rescue-6f4deefdde164f4aaedc1e6268b12281 -rwxr-xr-x. 1 root root system_u:object_r:boot_t:s0 6623528 jun 24 23:05 vmlinuz-4.6.3-300.fc24.x86_64 -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 166 jun 24 23:01 .vmlinuz-4.6.3-300.fc24.x86_64.hmac -rwxr-xr-x. 1 root root system_u:object_r:boot_t:s0 6634248 jul 12 14:06 vmlinuz-4.6.4-301.fc24.x86_64 -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 166 jul 12 14:00 .vmlinuz-4.6.4-301.fc24.x86_64.hmac -rwxr-xr-x. 1 root root system_u:object_r:boot_t:s0 6635432 ago 10 23:25 vmlinuz-4.6.6-300.fc24.x86_64 -rw-r--r--. 1 root root system_u:object_r:boot_t:s0 166 ago 10 23:20 .vmlinuz-4.6.6-300.fc24.x86_64.hmac *** Bug 1313432 has been marked as a duplicate of this bug. *** |
I've noticed that kdump fails to arm its ramdisk on each kernel update. This is because the new kernel is installed with a wrong context. Running a restorecon in /boot fixes the issue. [root@xenon ~]# sealert -l 0596ba9e-7d39-4b45-b5e3-9b0d5286ec9b SELinux is preventing kexec from read access on the file /boot/vmlinuz-4.3.5-300.fc23.x86_64. ***** Plugin catchall (100. confidence) suggests ************************** If cree que de manera predeterminada, kexec debería permitir acceso read sobre vmlinuz-4.3.5-300.fc23.x86_64 file. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep kexec /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kdump_t:s0 Target Context system_u:object_r:modules_object_t:s0 Target Objects /boot/vmlinuz-4.3.5-300.fc23.x86_64 [ file ] Source kexec Source Path kexec Port <Unknown> Host xenon Source RPM Packages Target RPM Packages kernel-core-4.3.5-300.fc23.x86_64 Policy RPM selinux-policy-3.13.1-158.4.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name xenon Platform Linux xenon 4.3.5-300.fc23.x86_64 #1 SMP Mon Feb 1 03:18:41 UTC 2016 x86_64 x86_64 Alert Count 38 First Seen 2016-02-01 19:23:17 CET Last Seen 2016-02-15 09:16:06 CET Local ID 0596ba9e-7d39-4b45-b5e3-9b0d5286ec9b Raw Audit Messages type=AVC msg=audit(1455524166.730:535): avc: denied { read } for pid=2721 comm="kexec" name="vmlinuz-4.3.5-300.fc23.x86_64" dev="sda8" ino=21 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0 Hash: kexec,kdump_t,modules_object_t,file,read [root@xenon ~]# journalctl -b -u kdump.service -- Logs begin at jue 2015-10-01 09:19:17 CEST, end at lun 2016-02-15 13:27:22 CET. -- feb 15 09:16:04 xenon systemd[1]: Starting Crash recovery kernel arming... feb 15 09:16:06 xenon systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE feb 15 09:16:06 xenon systemd[1]: Failed to start Crash recovery kernel arming. feb 15 09:16:06 xenon systemd[1]: kdump.service: Unit entered failed state. feb 15 09:16:06 xenon systemd[1]: kdump.service: Failed with result 'exit-code'. feb 15 09:16:06 xenon kdumpctl[1533]: Cannot open `/boot/vmlinuz-4.3.5-300.fc23.x86_64': Permission denied feb 15 09:16:06 xenon kdumpctl[1533]: kexec: failed to load kdump kernel feb 15 09:16:06 xenon kdumpctl[1533]: Starting kdump: [FAILED] [root@xenon ~]# restorecon -Frv /boot restorecon reset /boot/.vmlinuz.hmac-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0 restorecon reset /boot/config-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0 restorecon reset /boot/initramfs-4.3.5-300.fc23.x86_64.img context unconfined_u:object_r:boot_t:s0->system_u:object_r:boot_t:s0 restorecon reset /boot/vmlinuz-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0 restorecon reset /boot/.vmlinuz.hmac-4.3.3-301.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0 restorecon reset /boot/System.map-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:system_map_t:s0