Bug 1965989

Summary: [RHEL9] SELinux is preventing kexec from read access on the file /var/lib/kdump/initramfs-*kdump.img
Product: Red Hat Enterprise Linux 9 Reporter: ltao
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED CURRENTRELEASE QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, plautrba, ssekidde
Target Milestone: betaKeywords: Triaged
Target Release: 9.0 BetaFlags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-34.1.9-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:35:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1965952    

Description ltao 2021-05-31 10:20:07 UTC 
This bug is cloned from bz1951323. On Fedora-Rawhide-20210529.n.0, kdump is working well with selinux-policy[1], may need to back-port it to rhel9.

[1] https://github.com/fedora-selinux/selinux-policy/pull/732

Original description of problem:
SELinux is preventing kdump from loading its generated initrd if `kdump` places its generated initrd in `/var/lib/kdump`, as may soon be the case for when `kdump` cannot place its generated initrd in the usual `/boot` on systems where `/boot` is mounted read-only, such as Fedora/RHEL CoreOS.
The default SELinux policies for `kdump`/`kexec` may need to be modified to address this.

The following is the `sealert` output from a build of Fedora CoreOS (which has `/boot` read-only) after `kdump` attempts to load the `kdump`-generated initrd placed at `/var/lib/kdump`:
```
SELinux is preventing kexec from read access on the file initramfs-5.10.19-200.fc33.x86_64kdump.img.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow kexec to have read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file
Then you need to change the label on initramfs-5.10.19-200.fc33.x86_64kdump.img
Do
# semanage fcontext -a -t FILE_TYPE 'initramfs-5.10.19-200.fc33.x86_64kdump.img'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, al.
Then execute:
restorecon -v 'initramfs-5.10.19-200.fc33.x86_64kdump.img'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that kexec should be allowed read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kexec' --raw | audit2allow -M my-kexec
# semodule -X 300 -i my-kexec.pp


Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                initramfs-5.10.19-200.fc33.x86_64kdump.img [ file
                              ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cosa-devsh
Platform                      Linux cosa-devsh 5.10.19-200.fc33.x86_64 #1 SMP
                              Fri Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-04-19 21:27:43 UTC
Last Seen                     2021-04-19 21:33:04 UTC
Local ID                      5ec95c86-81bf-4add-be38-5b46ac9fe88c

Raw Audit Messages
type=AVC msg=audit(1618867984.25:148): avc:  denied  { read } for  pid=1188 comm="kexec" name="initramfs-5.10.19-200.fc33.x86_64kdump.img" dev="vda4" ino=23069869 scontext=system_u:system_r:0


Hash: kexec,kdump_t,var_lib_t,file,read
```
Comment 1 Zdenek Pytela 2021-06-02 14:37:57 UTC 
Needs backporting:
commit af7e4b6492b315ee0912aef7f9f2d89a4f681ab6
Author: Zdenek Pytela <zpytela>
Date:   Mon May 10 18:36:26 2021 +0200

    Label /var/lib/kdump with kdump_var_lib_t
    
    The kexec-tools usually create initramfs-KERNELVERSIONkdump.img in /boot.
    On some operating systems, the /boot directory can be read-only,
    preventing the image file from being created. In newer kexec-tools
    package versions, the image files are created in /var/lib/kdump
    in case /boot is read-only.
    
    The kdump_manage_lib_files() interface was created and rpm_script_t
    allowed to manage /var/lib/kdump files. This is needed when the
    /lib/kernel/install.d/60-kdump.install kernel install hook is triggered
    to delete unused images.
    
    Resolves: rhbz#1951323
Comment 3 Zdenek Pytela 2021-06-16 09:40:23 UTC 
This one needs to be backported, too:
https://github.com/fedora-selinux/selinux-policy/pull/782