Bug 833242
| Summary: | 'ldconfig -r' permission denied in kdump.service | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dave Young <ruyang> |
| Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 17 | CC: | dwalsh, harald |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-30 21:52:08 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 799340 | ||
*** Bug 833243 has been marked as a duplicate of this bug. *** So if I understand correctly, there is the /var/tmp/initramfs* dir which is used as root directory created as initrc_tmp_t and this directory is used by ldconfig, depmod, right? (In reply to comment #2) > So if I understand correctly, there is the /var/tmp/initramfs* dir which is > used as root directory created as initrc_tmp_t and this directory is used by > ldconfig, depmod, right? Yes, dracut create temp dir under /var/tmp, install files into it and run ldconfig -r, then create the cpio archive.. I have no knowledge about selinux, so not sure about initrc_tmp_t. Ok, I am now playing with
# chcon -t kdump_exec_t /usr/bin/kdumpctl
It requires new transitions from kdump to other domains (we have a way how to do it) and I am able to get
allow ldconfig_t kdump_tmp_t:dir { read write add_name remove_name };
allow ldconfig_t kdump_tmp_t:file { rename write getattr setattr read create open };
allow ldconfig_t kdump_tmp_t:lnk_file read;
Well dracut wants to add lot of accesses but I think they are ok for kdump_t policy. But also we could start to think about dracut policy for these cases. I would get rid of the transition to ldconfig, this domain only exists to make sure /etc/ld.so.cache file is labeled correctly. Well this is about /var/tmp/initramfs* directory which is created by kdumpctl (labeled as bin_t) from the kdump.service unit file. ExecStart=/usr/bin/kdumpctl start All files/dirs are created there and ldconfig_t/insmod_t needs to manage /var/tmp/initramfs*. So my idea is the kdump_exec_t label for kdumpctl => it will run as kdump_t and I could make kdump_t as initrc domain and could control which domains will able to use /var/tmp/initramfs* which could get kdump_tmp_t label. Could you please test it with http://koji.fedoraproject.org/koji/taskinfo?taskID=4179182 after install please execute # chcon -t kdump_exec_t /usr/bin/kdumpctl and try to re-test it. Thanks. (In reply to comment #8) > Could you please test it with > > http://koji.fedoraproject.org/koji/taskinfo?taskID=4179182 > > after install please execute > > # chcon -t kdump_exec_t /usr/bin/kdumpctl > > and try to re-test it. Thanks. Hi, there's new avc deny, see below info: SELinux is preventing /usr/bin/bash from execute access on the file udevadm. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bash should be allowed execute access on the udevadm file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep dracut /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:kdump_t:s0 Target Context system_u:object_r:kdump_tmp_t:s0 Target Objects udevadm [ file ] Source dracut Source Path /usr/bin/bash Port <Unknown> Host darkstar.nay.redhat.com Source RPM Packages bash-4.2.24-2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-132.fc17.1.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name darkstar.nay.redhat.com Platform Linux darkstar.nay.redhat.com 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64 Alert Count 4 First Seen Wed 20 Jun 2012 04:02:38 PM CST Last Seen Wed 20 Jun 2012 04:02:38 PM CST Local ID 52c97a48-d4c7-4584-af4f-429e3c5146ce Raw Audit Messages type=AVC msg=audit(1340179358.994:141): avc: denied { execute } for pid=1844 comm="dracut" name="udevadm" dev="sda3" ino=404905 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:kdump_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1340179358.994:141): arch=x86_64 syscall=faccessat success=no exit=EACCES a0=ffffffffffffff9c a1=b0c430 a2=1 a3=2b items=0 ppid=1478 pid=1844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dracut exe=/usr/bin/bash subj=system_u:system_r:kdump_t:s0 key=(null) Hash: dracut,kdump_t,kdump_tmp_t,file,execute audit2allowunable to open /sys/fs/selinux/policy: Permission denied audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied Could you test it in permissive mode? # setenforce 0 (In reply to comment #10) > Could you test it in permissive mode? > > # setenforce 0 the service startup ok with permissive mode and what avc msgs are you getting? See below, not sure if it's what you want:
SELinux is preventing /usr/bin/rm from unlink access on the chr_file null.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that rm should be allowed unlink access on the null chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:kdump_t:s0
Target Context system_u:object_r:null_device_t:s0
Target Objects null [ chr_file ]
Source rm
Source Path /usr/bin/rm
Port <Unknown>
Host darkstar.nay.redhat.com
Source RPM Packages coreutils-8.15-6.fc17.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-132.fc17.1.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name darkstar.nay.redhat.com
Platform Linux darkstar.nay.redhat.com 3.3.4-5.fc17.x86_64
#1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
Alert Count 2
First Seen Wed 20 Jun 2012 04:50:15 PM CST
Last Seen Wed 20 Jun 2012 05:11:59 PM CST
Local ID c68ddcd7-31c9-4265-a81f-632d92ca597f
Raw Audit Messages
type=AVC msg=audit(1340183519.652:308): avc: denied { unlink } for pid=17448 comm="rm" name="null" dev="sda3" ino=404598 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file
type=SYSCALL msg=audit(1340183519.652:308): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=5 a1=14989e8 a2=0 a3=114 items=0 ppid=13940 pid=17448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rm exe=/usr/bin/rm subj=system_u:system_r:kdump_t:s0 key=(null)
Hash: rm,kdump_t,null_device_t,chr_file,unlink
audit2allowunable to open /sys/fs/selinux/policy: Permission denied
audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied
Ok, I think I have a solution. Could you test it with http://koji.fedoraproject.org/koji/taskinfo?taskID=4183110 (In reply to comment #14) > Ok, I think I have a solution. > > Could you test it with > > http://koji.fedoraproject.org/koji/taskinfo?taskID=4183110 With this build systemd service startup ok for me. Great work, thanks! Fixed in selinux-policy-3.10.0-132.fc17 selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17 Package selinux-policy-3.10.0-134.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17 then log in and leave karma (feedback). selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
I guess this related to selinux policy, please help to take a look: kdump.service 1st time startup will fail with below info Jun 12 23:28:39 localhost kdumpctl[548]: + ldconfig -r /var/tmp/initramfs.Lk6NT4 Jun 12 23:28:39 localhost kdumpctl[548]: ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied dracut ran cmd like: 'ldconfig -r /var/tmp/foo' in kdump.service I'm seeing below selinux audit log: type=AVC msg=audit(1340070736.339:41): avc: denied { read } for pid=4493 comm="ldconfig" name="lib64" dev="dm-1" ino=2684 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir type=AVC msg=audit(1340070736.339:42): avc: denied { write } for pid=4493 comm="ldconfig" name="etc" dev="dm-1" ino=2681 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir type=SERVICE_START msg=audit(1340070736.748:43): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="kdump" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'