1044299 – system-config-kdump: Handling services error

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1044299 - system-config-kdump: Handling services error

Summary: system-config-kdump: Handling services error

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.0
Hardware:	Unspecified
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	1055488 1058697 1070318 (view as bug list)
Depends On:	1056008
Blocks:	717946 744225 860099 1035351 1035360 1049106 1049170 1050219 1050845 1055488 1055830 1057960 1062567 1062801 1063932 1066200 1067873 1069502 1070517 1070921 1073810
TreeView+	depends on / blocked

Reported:	2013-12-18 03:56 UTC by Qiao Zhao
Modified:	2014-07-22 13:23 UTC (History)
CC List:	12 users (show)
Fixed In Version:	selinux-policy-3.12.1-134.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-13 10:08:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
system-config-kdump error (395.67 KB, image/png) 2013-12-18 03:56 UTC, Qiao Zhao	no flags	Details
sos report (5.16 MB, application/x-xz) 2014-02-26 16:11 UTC, IBM Bug Proxy	no flags	Details
screenshot (62.64 KB, image/png) 2014-02-26 16:11 UTC, IBM Bug Proxy	no flags	Details
View All

Description Qiao Zhao 2013-12-18 03:56:02 UTC

Created attachment 838105 [details]
system-config-kdump error

Description of problem:
system-config-kdump reminder "Handing services error" after click Apply button when change crashkernel size by Basic Settings.


Version-Release number of selected component (if applicable):
system-config-kdump-2.0.13-3.el7
kexec-tools-2.0.4-14.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Install system-config-kdump and start system-config-kdump
2. change "New kdump Memory" by manual
3. click Apply button

Actual results:
remind system-config-kdump: Handling services error

Expected results:
Apply normal

Additional info:

Comment 4 Martin Milata 2014-01-20 22:26:29 UTC

I'm able to reproduce this bug in RHEL7 beta. The issue disappears with SELinux switched to permissive mode. I suspect that this is caused by bug#1022762 and bug#1035360, the same AVCs can be seen in audit.log.

Comment 5 Martin Milata 2014-01-21 11:27:13 UTC

Switching to selinux-policy component.

policy version: selinux-policy-3.12.1-118.el7.noarch

AVC (similar to bug#1022762):
type=USER_AVC msg=audit(1390303008.005:712): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=-1 uid=0 gid=0 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Comment 6 Miroslav Grepl 2014-01-21 12:15:56 UTC

Yes, it needs to be fixed in the systemd.

Comment 7 Lukáš Nykrýn 2014-01-23 15:18:46 UTC

This one is probably clone of https://bugzilla.redhat.com/show_bug.cgi?id=1056008

Comment 8 Martin Milata 2014-01-28 13:06:04 UTC

*** Bug 1058697 has been marked as a duplicate of this bug. ***

Comment 9 Martin Milata 2014-02-17 18:17:33 UTC

Even with the systemd fix (#1056008), the issue still persists.

With systemd-208-4.el7, I'm getting slightly different USER_AVC:

type=USER_AVC msg=audit(1392660188.972:385): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=-1 uid=0 gid=0 path="system" scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Doesn't the policy need to be changed too, as suggested in bug #1035360?

Comment 10 Miroslav Grepl 2014-02-18 10:29:29 UTC

It does not make sense to do this check on the "system" class.

Comment 11 Milos Malik 2014-02-20 08:25:27 UTC

Caught in enforcing mode:
----
type=PATH msg=audit(02/20/2014 09:22:11.940:14628) : item=0 name=/dev/sr0 inode=9941 dev=00:05 mode=block,660 ouid=root ogid=cdrom rdev=0b:00 obj=system_u:object_r:removable_device_t:s0 objtype=NORMAL 
type=CWD msg=audit(02/20/2014 09:22:11.940:14628) :  cwd=/ 
type=SYSCALL msg=audit(02/20/2014 09:22:11.940:14628) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=0x7896e0 a1=O_RDONLY|O_CLOEXEC a2=0x0 a3=0x0 items=1 ppid=1713 pid=1715 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=grubby exe=/usr/sbin/grubby subj=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 key=(null) 
type=AVC msg=audit(02/20/2014 09:22:11.940:14628) : avc:  denied  { read } for  pid=1715 comm=grubby name=sr0 dev="devtmpfs" ino=9941 scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:object_r:removable_device_t:s0 tclass=blk_file 
----
type=USER_AVC msg=audit(02/20/2014 09:23:07.937:14632) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Comment 12 Milos Malik 2014-02-20 09:07:32 UTC

Caught in permissive mode:
----
type=USER_AVC msg=audit(02/20/2014 10:06:07.061:14878) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { enable } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----
type=USER_AVC msg=audit(02/20/2014 10:06:07.062:14879) : pid=1 uid=root auid=unset ses=unset subj=system_u:system_r:init_t:s0 msg='avc:  denied  { reload } for auid=unset uid=root gid=root path=system scontext=system_u:system_r:kdumpgui_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=system  exe=/usr/lib/systemd/systemd sauid=root hostname=? addr=? terminal=?' 
----

Comment 14 Miroslav Grepl 2014-02-26 16:03:30 UTC

*** Bug 1070318 has been marked as a duplicate of this bug. ***

Comment 15 IBM Bug Proxy 2014-02-26 16:11:16 UTC

Created attachment 868096 [details]
sos report

default comment by bridge

Comment 16 IBM Bug Proxy 2014-02-26 16:11:20 UTC

Created attachment 868097 [details]
screenshot

default comment by bridge

Comment 18 Lukáš Nykrýn 2014-02-27 16:01:36 UTC

Ia m not sure what is the proper fix in systemd. I think that maybe the mentioned patch from upstream http://cgit.freedesktop.org/systemd/systemd/commit/?id=4f7385f is wrong, because when the service is not running u = manager_get_unit(m, *i); will just return an error, so we will not get to the selinux_unit_access_check part.

Comment 19 Miroslav Grepl 2014-03-03 19:27:26 UTC

The problem is it would allow s-c-kdump to enable/disable all services on the system. 

Either we miss a check on

/usr/lib/systemd/system/httpd.service

or we miss additional check on this unit file.

Comment 20 Lukáš Nykrýn 2014-03-04 11:49:15 UTC

Can you please elaborate this? I am not sure that I follow.

Comment 21 Miroslav Grepl 2014-03-04 12:00:23 UTC

My point is 

allow kdumpgui_t init_t:system { enable disalbe reload }

could be OK but then we need to have additional check on kdump unit file in this case?

Dan?

Comment 22 Martin Milata 2014-03-05 15:41:39 UTC

*** Bug 1056008 has been marked as a duplicate of this bug. ***

Comment 23 Miroslav Grepl 2014-03-06 14:47:18 UTC

Lukáš.
my understanding is we don't do a check for a unit file if there is disable/enable action. Not sure if it can be changed to do this check or we need to add an additional check after

allow kdumpgui_t init_t:system { enable disalbe reload }

is ok and then do a unit file check.

Does it make sense?

Comment 24 Lukáš Nykrýn 2014-03-06 15:35:16 UTC

I am still not sure what is exactly happening here. It looks to me that kdumpgui is calling enable on some unit, but selinux forbids that.

So from systemd side of a view we should check if some binary is allowed to enable specific unit? Or is this just a question about policy if kdumpgui can enable and disable units?

Comment 25 Miroslav Grepl 2014-03-06 15:45:14 UTC

(In reply to Lukáš Nykrýn from comment #24)
> I am still not sure what is exactly happening here. It looks to me that
> kdumpgui is calling enable on some unit, but selinux forbids that.

Yes.

s-c-kdump running as kdumpgui_t runs

systemctl enable/disable kdump

so you end with

allow kdumpgui_t init_t:system { enable disable reload }

But it allows s-c-kdump to disable/enable all services on a system.

> So from systemd side of a view we should check if some binary is allowed to
> enable specific unit? Or is this just a question about policy if kdumpgui
> can enable and disable units?

The same way how you check whether it can be started for example.

Comment 26 Martin Milata 2014-03-07 10:33:30 UTC

*** Bug 1055488 has been marked as a duplicate of this bug. ***

Comment 28 IBM Bug Proxy 2014-03-11 15:33:58 UTC

------- Comment From brueckner.com 2014-03-11 15:26 EDT-------
*** Bug 105558 has been marked as a duplicate of this bug. ***

Comment 30 Ludek Smid 2014-06-13 10:08:52 UTC

This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.