Bug 1766799

Summary: SELinux prevents kexec from running during reboot
Product: [Fedora] Fedora Reporter: Scott Shambarger <scott-fedora>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-53.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-05 08:34:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Shambarger 2019-10-29 22:35:49 UTC 
Description of problem:
I've been unable to systemctl kexec for awhile, and finally tracked down the problem to SELinux.

With SELinux enabled, kexec fails and falls back to regular reboot...

Setting up a serial console, and capturing the AVC denials at shutdown I found that kexec is not run ("Permission denied"), denials are:

audit: type=1400 audit(1572386693.542:329): avc:  denied  { nosuid_transition } for  pid=2013 comm="shutdown" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=process2 permissive=1
sd 1:0:0:0: [sdb] Synchronizing SCSI cache
audit: type=1400 audit(1572386693.553:330): avc:  denied  { create } for  pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1
audit: type=1400 audit(1572386693.553:331): avc:  denied  { create } for  pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1

# These required running with the perms above in policy...
audit: type=1400 audit(1572386892.384:322): avc:  denied  { bind } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1
audit: type=1400 audit(1572386892.384:323): avc:  denied  { getattr } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1
audit: type=1400 audit(1572386892.384:324): avc:  denied  { nlmsg_read } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1

# And again, after the above were added....
audit: type=1400 audit(1572387315.204:321): avc:  denied  { ioctl } for  pid=1847 comm="kexec" path="socket:[31645]" dev="sockfs" ino=31645 ioctlcmd=0x8913 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-46.fc30.noarch

How reproducible:
Anytime systemctl kexec is run with SELinux in enforcing mode.

Steps to Reproduce:
1. SELinux enforcing
2. load kernel
3. run systemctl kexec

Actual results:
System reboots normally via EFI or BIOS

Expected results:
Kernel should boot directly

Additional info:

Adding the following policy results in no denials on reboot (related to kexec, there's other open issues like Bug #1656430):

policy_module(myinit,0.1.0)

require {
        type init_t, kdump_t;
};

# allow kexec to run
allow init_t kdump_t:process2 nosuid_transition;
allow kdump_t self:udp_socket { create ioctl };
allow kdump_t self:netlink_route_socket { create bind getattr nlmsg_read };

This appears to be an issue going back several releases....
Comment 1 Lukas Vrabec 2019-10-30 09:25:57 UTC 
Fixed in Fedora 30+ 

commit 8ccc1cb000fb1b478245509dff2aa9f3a5acf673 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec>
Date:   Wed Oct 30 10:24:12 2019 +0100

    Allow kdump_t domain to create netlink_route and udp sockets
    
    Resolves: rhbz#1766799
Comment 2 Fedora Update System 2019-12-04 07:50:37 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 3 Fedora Update System 2019-12-05 02:00:58 UTC 
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 4 Scott Shambarger 2019-12-05 08:34:52 UTC 
Tested on F31, selinux-policy-3.14.4-40.fc31.noarch fixes kexec!

Thanks.
Comment 5 Fedora Update System 2019-12-06 19:20:55 UTC 
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 6 Fedora Update System 2019-12-07 02:18:01 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Comment 7 Fedora Update System 2019-12-11 01:32:18 UTC 
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.