Bug 1035360 - [PATCH] contrib: Make system-config-kdump work
Summary: [PATCH] contrib: Make system-config-kdump work
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1022762 1044299 1056008
Blocks: 1035351
TreeView+ depends on / blocked
 
Reported: 2013-11-27 15:50 UTC by Lubomir Rintel
Modified: 2014-11-19 14:38 UTC (History)
12 users (show)

Fixed In Version:
Clone Of: 1022762
Environment:
Last Closed: 2014-11-19 14:38:04 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
[PATCH] kdumpgui: Allow accessing and creating the libblkid cache (653 bytes, patch)
2013-11-27 15:50 UTC, Lubomir Rintel
no flags Details | Diff
[PATCH] systemd: Allow systemctl users to reload systemd state (870 bytes, text/plain)
2013-11-27 15:52 UTC, Lubomir Rintel
no flags Details

Description Lubomir Rintel 2013-11-27 15:50:46 UTC
Created attachment 829785 [details]
[PATCH] kdumpgui: Allow accessing and creating the libblkid cache

+++ This bug was initially created as a clone of Bug #1022762 +++

Apart from the systemd shortcoming that's being addressed in the above bug, I believe there still are two changes needed to the policy.

Please have a look at attached patch files, they contain explanations in their headers.

The denials:

type=AVC msg=audit(1385565744.551:108): avc:  denied  { write } for  pid=2565 comm="grubby" name="/" dev="tmpfs" ino=1185 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir

type=USER_AVC msg=audit(1385565751.354:111): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Systemd log for "systemctl enable kdump.service" and "systemctl disable kdump.service" (from an unconfined shell session):

Nov 27 15:51:37 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.DisableUnitFiles() on /org/freedesktop/systemd1
Nov 27 15:51:37 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:object_r:kdump_unit_file_t:s0 tclass=service perm=disable path=/usr/lib/systemd/system/kdump.service cmdline=systemctl disable kdump.service: 0 
Nov 27 15:51:37 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Nov 27 15:51:37 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:system_r:init_t:s0 tclass=system perm=reload path=(null) cmdline=systemctl disable kdump.service: 0


Nov 27 15:52:09 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.EnableUnitFiles() on /org/freedesktop/systemd1
Nov 27 15:52:09 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:object_r:kdump_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/kdump.service cmdline=systemctl enable kdump.service: 0
Nov 27 15:52:09 odvarok systemd[1]: Got D-Bus request: org.freedesktop.systemd1.Manager.Reload() on /org/freedesktop/systemd1
Nov 27 15:52:09 odvarok systemd[1]: SELinux access check scon=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcon=system_u:system_r:init_t:s0 tclass=system perm=reload path=(null) cmdline=systemctl enable kdump.service: 0

Comment 1 Lubomir Rintel 2013-11-27 15:52:24 UTC
Created attachment 829786 [details]
[PATCH] systemd: Allow systemctl users to reload systemd state

Comment 2 Lubomir Rintel 2013-12-28 10:21:26 UTC
Ping?

The enable/disable access vectors have been fixed in upstream systemd Git now.
What about the additional two patches needed to make s-c-k works that are attached here; do those make sense?

Comment 3 Miroslav Grepl 2014-02-18 10:30:33 UTC
(In reply to Lubomir Rintel from comment #2)
> Ping?
> 
> The enable/disable access vectors have been fixed in upstream systemd Git
> now.

To which upstream?

> What about the additional two patches needed to make s-c-k works that are
> attached here; do those make sense?

Comment 4 Lubomir Rintel 2014-02-18 11:30:20 UTC
(In reply to Miroslav Grepl from comment #3)
> (In reply to Lubomir Rintel from comment #2)
> > Ping?
> > 
> > The enable/disable access vectors have been fixed in upstream systemd Git
> > now.
> 
> To which upstream?

systemd. See the bug this one was cloned from.


Note You need to log in before you can comment on or make changes to this bug.