Bug 1536991

Summary: RHEL Atomic 7.4.3 breaks kdump due to SELinux denial for reading kernel image
Product: Red Hat Enterprise Linux 7 Reporter: Martin Pitt <mpitt>
Component: rhel-server-atomicAssignee: Colin Walters <walters>
Status: CLOSED ERRATA QA Contact: atomic-bugs <atomic-bugs>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: bbaude, ddarrah, dwalsh, fkluknav, jlebon, miabbott
Target Milestone: rcKeywords: Extras
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-11 00:00:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Pitt 2018-01-22 08:43:58 UTC 
Description of problem: kdump stops working after upgrading RHEL Atomic 7.4.2 to 7.4.3.

This got caught by Cockpit's integration tests (https://github.com/cockpit-project/cockpit/pull/8459).


Version-Release number of selected component (if applicable):

works:
  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.2 (2017-10-17 02:47:56)
                    Commit: 2eceacd73c4de494ff3f90448467934614cf9f72cb316693db2cad47bd79015e

fails:
  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.3-1 (2018-01-04 17:38:17)
                    Commit: 83350a7fb3a3ebd09c5996eec5ec8307f61bbb463b999bdfece223288927a60f


How reproducible: Always


Steps to Reproduce:
1. Enable kdump (otherwise kdump.service fails with "No memory reserved for crash kernel"):
   # sed -i 's/crashkernel=auto/crashkernel=256M/' /boot/grub2/grub.cfg
2. # reboot
3. # systemctl status -l kdump.service

Actual results:

● kdump.service - Crash recovery kernel arming
   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-01-22 08:17:30 UTC; 25min ago
  Process: 948 ExecStart=/usr/bin/kdumpctl start (code=exited, status=1/FAILURE)
 Main PID: 948 (code=exited, status=1/FAILURE)

Jan 22 08:17:29 m1 dracut[2282]: lrwxrwxrwx   1 root     root            6 Jan 22 08:17 var/run -> ../run
Jan 22 08:17:29 m1 dracut[2282]: ========================================================================
Jan 22 08:17:29 m1 dracut[2282]: *** Creating initramfs image file '/boot/ostree/rhel-atomic-host-00cf92f003e95f6267ab6e294f89a4802c610df4b5cb9c1aa1051233a9832c61/initramfs-3.10.0-693.11.6.el7.x86_64kdump.img' done ***
Jan 22 08:17:30 m1 kdumpctl[948]: Cannot open `/boot/ostree/rhel-atomic-host-00cf92f003e95f6267ab6e294f89a4802c610df4b5cb9c1aa1051233a9832c61/vmlinuz-3.10.0-693.11.6.el7.x86_64': Permission denied
Jan 22 08:17:30 m1 kdumpctl[948]: kexec: failed to load kdump kernel
Jan 22 08:17:30 m1 kdumpctl[948]: Starting kdump: [FAILED]



Expected results:

● kdump.service - Crash recovery kernel arming
   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2018-01-22 08:17:25 UTC; 22s ago
  Process: 914 ExecStart=/usr/bin/kdumpctl start (code=exited, status=0/SUCCESS)
 Main PID: 914 (code=exited, status=0/SUCCESS)

Jan 22 08:17:24 m1 dracut[2246]: -rw-r--r--   1 root     root          118 Jan  1  1970 usr/share/zoneinfo/Etc/UTC
Jan 22 08:17:24 m1 dracut[2246]: drwxr-xr-x   3 root     root            0 Jan 22 08:17 var
Jan 22 08:17:24 m1 dracut[2246]: lrwxrwxrwx   1 root     root           11 Jan 22 08:17 var/lock -> ../run/lock
Jan 22 08:17:24 m1 dracut[2246]: drwx------   2 root     root            0 Jan 22 08:17 var/roothome
Jan 22 08:17:24 m1 dracut[2246]: lrwxrwxrwx   1 root     root            6 Jan 22 08:17 var/run -> ../run
Jan 22 08:17:24 m1 dracut[2246]: ========================================================================
Jan 22 08:17:24 m1 dracut[2246]: *** Creating initramfs image file '/boot/ostree/rhel-atomic-host-5144fc202f72607b451b716922fb1f577edc788c1ee701fa22b3084f5e429f04/initramfs-3.10.0-693.5.2.el7.x86_64kdump.img' done ***
Jan 22 08:17:25 m1 kdumpctl[914]: kexec: loaded kdump kernel
Jan 22 08:17:25 m1 kdumpctl[914]: Starting kdump: [OK]


Additional info:

This seems to be a new SELinux denial. dmesg shows:

[   41.799447] type=1400 audit(1516609050.138:5): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
[   41.803531] type=1400 audit(1516609050.143:6): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
[   41.807244] type=1400 audit(1516609050.147:7): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
Comment 3 Colin Walters 2018-01-22 14:42:00 UTC 
This is probably related to https://github.com/projectatomic/rpm-ostree/pull/959

See also: https://github.com/projectatomic/rpm-ostree/issues/990
Comment 4 Colin Walters 2018-02-02 18:48:52 UTC 
https://github.com/ostreedev/ostree/pull/1444
Comment 8 errata-xmlrpc 2018-04-11 00:00:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1067