Bug 1357949
| Summary: | SELinux is preventing kexec from using the 'sys_admin' capabilities. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 24 | CC: | bugzilla, dominick.grift, dwalsh, hkario, kdump-team-bugs, lvrabec, mgrepl, oliver.henshaw, plautrba, ruyang |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:f0287f4f154edfc849418636e509482c5d36807ef6355de0c990d58dbbde39ff;VARIANT_ID=workstation; | ||
| Fixed In Version: | selinux-policy-3.13.1-191.16.fc24 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-22 00:23:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: normal system startup, though it's a system I have upgraded since Fedora 18, so there may be some leftovers Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: systemctl start kdump.service Version-Release number of selected component: selinux-policy-3.13.1-191.5.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport Also on F23. Seems like a regression though I don't know what changed to cause it, kexec-tools hasn't been updated since upgrading to F23. Maybe a kernel update? selinux-policy-targeted-3.13.1-158.21.fc23.noarch kexec-tools-2.0.10-10.fc23.x86_64 kernel-4.6.4-201.fc23.x86_64 (MAYBE GOOD?) kernel-4.6.6-200.fc23.x86_64 kernel-4.5.7-202.fc23.x86_64 GOOD kernel-4.6.4-201.fc23.x86_64 BAD Checked old "journal -b" and confirmed by booting into kernel-4.5.7-202.fc23.x86_64. So it's likely some kernel change that is causing kexec to hit an SElinux denial. Any ideas? Hi,
One possible commit is in 4.6.0 /proc/iomem can only be read by process with CAP_SYS_ADMIN, so for non-root users they can not see it.
Linus said no need worry about fine grained capabilities, that means kexec run as root so it should be ok.
Upstream commit:
commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4
Author: Linus Torvalds <torvalds>
Date: Thu Apr 14 12:05:37 2016 -0700
/proc/iomem: only expose physical resource addresses to privileged users
In commit c4004b02f8e5b ("x86: remove the kernel code/data/bss resources
from /proc/iomem") I was hoping to remove the phyiscal kernel address
data from /proc/iomem entirely, but that had to be reverted because some
system programs actually use it.
This limits all the detailed resource information to properly
credentialed users instead.
Signed-off-by: Linus Torvalds <torvalds>
Thanks
Dave
Looks like we should just add a dontaudit rules. Or does kdump actually need to read this? Daniel, do you means kexec run with root still lacks SYS_ADMIN capabilities? If so add a rule should be necessary because kexec-tools depend on reading /proc/iomem in its source code. Ok if it depends on that then it needs sys_admin so we need to add the rule. *** Bug 1372796 has been marked as a duplicate of this bug. *** selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6 selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6 selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: SELinux is preventing kexec from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If cree que kexec debería tener la capacidad sys_admin de forma predeterminada. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do allow this access for now by executing: # ausearch -c 'kexec' --raw | audit2allow -M my-kexec # semodule -X 300 -i my-kexec.pp Additional Information: Source Context system_u:system_r:kdump_t:s0 Target Context system_u:system_r:kdump_t:s0 Target Objects Unknown [ capability ] Source kexec Source Path kexec Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.5.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.3-300.fc24.x86_64 #1 SMP Fri Jun 24 20:52:41 UTC 2016 x86_64 x86_64 Alert Count 747 First Seen 2016-07-19 14:21:11 CEST Last Seen 2016-07-19 17:49:29 CEST Local ID 8e77b924-91b8-4d19-93ea-870e94f40059 Raw Audit Messages type=AVC msg=audit(1468943369.762:503): avc: denied { sys_admin } for pid=3161 comm="kexec" capability=21 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=capability permissive=0 Hash: kexec,kdump_t,kdump_t,capability,sys_admin Version-Release number of selected component: selinux-policy-3.13.1-191.5.fc24.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.6.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport