Bug 1965985

Summary: SELinux is preventing kexec from read access on the file /var/lib/kdump/initramfs-*kdump.img
Product: Red Hat Enterprise Linux 8 Reporter: ltao
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 8.5CC: dornelas, hshiina, jniu, lvrabec, mmalik, plautrba, ruyang, ssekidde, travier
Target Milestone: betaKeywords: AutoVerified, Triaged, ZStream
Target Release: 8.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-71.el8 Doc Type: Enhancement
Doc Text:
Feature: In the new version of the kexec-tools package, kdump checks if the initramfs image can be created in /boot. If the check fails, the /var/lib/kdump directory is used instead to create the initramfs image. Reason: On some operating systems, the /boot directory can be read-only, preventing the initramfs image file from being created in /boot. Result: SELinux supports kdump creating initramfs images in /var/lib/kdump.
 Story Points: ---
Clone Of:
: 1976260 (view as bug list) Environment:
Last Closed: 2021-11-09 19:43:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1918499, 1976260, 1991443, 2011878    

Description ltao 2021-05-31 10:11:40 UTC 
This bug is cloned from bz1951323. On Fedora-Rawhide-20210529.n.0, kdump is working well with selinux-policy[1], may need to back-port it to rhel8.5.

[1] https://github.com/fedora-selinux/selinux-policy/pull/732

Original description of problem:
SELinux is preventing kdump from loading its generated initrd if `kdump` places its generated initrd in `/var/lib/kdump`, as may soon be the case for when `kdump` cannot place its generated initrd in the usual `/boot` on systems where `/boot` is mounted read-only, such as Fedora/RHEL CoreOS.
The default SELinux policies for `kdump`/`kexec` may need to be modified to address this.

The following is the `sealert` output from a build of Fedora CoreOS (which has `/boot` read-only) after `kdump` attempts to load the `kdump`-generated initrd placed at `/var/lib/kdump`:
```
SELinux is preventing kexec from read access on the file initramfs-5.10.19-200.fc33.x86_64kdump.img.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow kexec to have read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file
Then you need to change the label on initramfs-5.10.19-200.fc33.x86_64kdump.img
Do
# semanage fcontext -a -t FILE_TYPE 'initramfs-5.10.19-200.fc33.x86_64kdump.img'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, al.
Then execute:
restorecon -v 'initramfs-5.10.19-200.fc33.x86_64kdump.img'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that kexec should be allowed read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kexec' --raw | audit2allow -M my-kexec
# semodule -X 300 -i my-kexec.pp


Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                initramfs-5.10.19-200.fc33.x86_64kdump.img [ file
                              ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cosa-devsh
Platform                      Linux cosa-devsh 5.10.19-200.fc33.x86_64 #1 SMP
                              Fri Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-04-19 21:27:43 UTC
Last Seen                     2021-04-19 21:33:04 UTC
Local ID                      5ec95c86-81bf-4add-be38-5b46ac9fe88c

Raw Audit Messages
type=AVC msg=audit(1618867984.25:148): avc:  denied  { read } for  pid=1188 comm="kexec" name="initramfs-5.10.19-200.fc33.x86_64kdump.img" dev="vda4" ino=23069869 scontext=system_u:system_r:0


Hash: kexec,kdump_t,var_lib_t,file,read
```
Comment 1 Zdenek Pytela 2021-06-02 14:38:10 UTC 
Needs backporting:
commit af7e4b6492b315ee0912aef7f9f2d89a4f681ab6
Author: Zdenek Pytela <zpytela>
Date:   Mon May 10 18:36:26 2021 +0200

    Label /var/lib/kdump with kdump_var_lib_t
    
    The kexec-tools usually create initramfs-KERNELVERSIONkdump.img in /boot.
    On some operating systems, the /boot directory can be read-only,
    preventing the image file from being created. In newer kexec-tools
    package versions, the image files are created in /var/lib/kdump
    in case /boot is read-only.
    
    The kdump_manage_lib_files() interface was created and rpm_script_t
    allowed to manage /var/lib/kdump files. This is needed when the
    /lib/kernel/install.d/60-kdump.install kernel install hook is triggered
    to delete unused images.
    
    Resolves: rhbz#1951323
Comment 2 ltao 2021-06-08 05:49:24 UTC 
(In reply to Zdenek Pytela from comment #1)
> Needs backporting:
> commit af7e4b6492b315ee0912aef7f9f2d89a4f681ab6
> Author: Zdenek Pytela <zpytela>
> Date:   Mon May 10 18:36:26 2021 +0200
> 
>     Label /var/lib/kdump with kdump_var_lib_t
>     
>     The kexec-tools usually create initramfs-KERNELVERSIONkdump.img in /boot.
>     On some operating systems, the /boot directory can be read-only,
>     preventing the image file from being created. In newer kexec-tools
>     package versions, the image files are created in /var/lib/kdump
>     in case /boot is read-only.
>     
>     The kdump_manage_lib_files() interface was created and rpm_script_t
>     allowed to manage /var/lib/kdump files. This is needed when the
>     /lib/kernel/install.d/60-kdump.install kernel install hook is triggered
>     to delete unused images.
>     
>     Resolves: rhbz#1951323

Hello Zdenek,

Since the bug blocks bz1918499, which may be delayed for DTM, could you please backport the patch and resolve this bug?
Thank you very much!

Thanks,
Tao Liu
Comment 4 Zdenek Pytela 2021-06-11 09:12:47 UTC 
> Since the bug blocks bz1918499, which may be delayed for DTM, could you
> please backport the patch and resolve this bug?
Should be in the next build.
Comment 5 Kelvin Fan 2021-06-14 14:08:50 UTC 
*** Bug 1961728 has been marked as a duplicate of this bug. ***
Comment 8 Zdenek Pytela 2021-06-16 09:40:16 UTC 
I am afraid one more commit is needed:
https://github.com/fedora-selinux/selinux-policy/pull/782
Comment 23 errata-xmlrpc 2021-11-09 19:43:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420