Bug 618329
| Summary: | Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/* | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Neil Horman <nhorman> | ||||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 6.0 | CC: | amwang, borgan, mmalik, nhorman, syeghiay, tindoh | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | selinux-policy-3.7.19-35.el6 | Doc Type: | Bug Fix | ||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2010-11-10 21:35:34 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | |||||||||
| Bug Blocks: | 593109, 621261 | ||||||||
| Attachments: |
|
||||||||
|
Description
Neil Horman
2010-07-26 17:02:09 UTC
This issue has been proposed when we are only considering blocker issues in the current Red Hat Enterprise Linux release. ** If you would still like this issue considered for the current release, ask your support representative to file as a blocker on your behalf. Otherwise ask that it be considered for the next Red Hat Enterprise Linux release. ** setting blocker flags on this, as it blocks an already approved blocker I need avc data from /var/log/audit/audit.log indoh-san, can you please provide the avc messages you got when you ran into this issue during your testing? Created attachment 434714 [details]
log file audit.log
indoh-san can you execute # semodule -DB To turn off the dontaudit messages # semanage permissive -a kdump_t To turn kdump_t into a permissive domain Then generate the error. Gather the AVC's # semanage permissive -d kdump_t # semodule -B Miroslav I think we will need kernel_read_debugfs(kdump_t) > # semodule -DB
> To turn off the dontaudit messages
> # semanage permissive -a kdump_t
[root@pq3-1 ~]# semanage permissive -a kdump_t
-bash: semanage: command not found
What package do I need to install to run semanage?
Created attachment 434841 [details]
log file2 audit.log
Ok, here is the result.
[root@pq3-2 ~]# service kdump restart
Stopping kdump: [ OK ]
UNABLE TO GATHER EFI DATA [警告]
Starting kdump: [ OK ]
[root@pq3-2 ~]# semodule -DB
[root@pq3-2 ~]# semanage permissive -a kdump_t
[root@pq3-2 ~]# service kdump restart
Stopping kdump: [ OK ]
GATHERING EFI DATA [警告]
Starting kdump: [ OK ]
[root@pq3-2 ~]# semanage permissive -d kdump_t
[root@pq3-2 ~]# semodule -B
Fixed in selinux-policy-3.7.19-35.el6.noarch. # rpm -q selinux-policy
selinux-policy-3.7.19-35.el6.noarch
I'm still seeing these AVCs on EFI enabled machine:
----
time->Wed Aug 11 05:18:46 2010
type=SYSCALL msg=audit(1281518326.459:58453): arch=40000003 syscall=5 success=yes exit=3 a0=8059134 a1=0 a2=bfeb9bec a3=9b2c5e0 items=0 ppid=7741 pid=7797 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec" subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281518326.459:58453): avc: denied { open } for pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281518326.459:58453): avc: denied { read } for pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
----
You are right. I am fixing it. Thanks. After "semodule -DB" the number of AVCs increased to 3:
----
time->Wed Aug 11 05:35:45 2010
type=SYSCALL msg=audit(1281519345.511:58476): arch=40000003 syscall=5
success=yes exit=3 a0=8059134 a1=0 a2=bfaf32cc a3=8a175e0 items=0 ppid=8380
pid=8436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec"
subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281519345.511:58476): avc: denied { open } for pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc: denied { read } for pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc: denied { search } for
pid=8436 comm="kexec" name="/" dev=debugfs ino=1
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
----
Fixed in selinux-policy-3.7.19-38.el6.noarch Red Hat Enterprise Linux 6.0 is now available and should resolve the problem described in this bug report. This report is therefore being closed with a resolution of CURRENTRELEASE. You may reopen this bug report if the solution does not work for you. |