Bug 1308511 - SELinux is preventing kexec from read access on the file /boot/vmlinuz-4.3.5-300.fc23.x86_64
Summary: SELinux is preventing kexec from read access on the file /boot/vmlinuz-4.3.5-...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 23
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1306010 1313432 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-15 12:40 UTC by Juan Orti
Modified: 2016-08-18 12:35 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-08-18 12:35:05 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Juan Orti 2016-02-15 12:40:40 UTC 
I've noticed that kdump fails to arm its ramdisk on each kernel update. This is because the new kernel is installed with a wrong context. Running a restorecon in /boot fixes the issue.

[root@xenon ~]# sealert -l 0596ba9e-7d39-4b45-b5e3-9b0d5286ec9b
SELinux is preventing kexec from read access on the file /boot/vmlinuz-4.3.5-300.fc23.x86_64.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que de manera predeterminada, kexec debería permitir acceso read sobre  vmlinuz-4.3.5-300.fc23.x86_64 file.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep kexec /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:modules_object_t:s0
Target Objects                /boot/vmlinuz-4.3.5-300.fc23.x86_64 [ file ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          xenon
Source RPM Packages           
Target RPM Packages           kernel-core-4.3.5-300.fc23.x86_64
Policy RPM                    selinux-policy-3.13.1-158.4.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xenon
Platform                      Linux xenon 4.3.5-300.fc23.x86_64 #1 SMP Mon Feb 1
                              03:18:41 UTC 2016 x86_64 x86_64
Alert Count                   38
First Seen                    2016-02-01 19:23:17 CET
Last Seen                     2016-02-15 09:16:06 CET
Local ID                      0596ba9e-7d39-4b45-b5e3-9b0d5286ec9b

Raw Audit Messages
type=AVC msg=audit(1455524166.730:535): avc:  denied  { read } for  pid=2721 comm="kexec" name="vmlinuz-4.3.5-300.fc23.x86_64" dev="sda8" ino=21 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0


Hash: kexec,kdump_t,modules_object_t,file,read


[root@xenon ~]# journalctl -b -u kdump.service
-- Logs begin at jue 2015-10-01 09:19:17 CEST, end at lun 2016-02-15 13:27:22 CET. --
feb 15 09:16:04 xenon systemd[1]: Starting Crash recovery kernel arming...
feb 15 09:16:06 xenon systemd[1]: kdump.service: Main process exited, code=exited, status=1/FAILURE
feb 15 09:16:06 xenon systemd[1]: Failed to start Crash recovery kernel arming.
feb 15 09:16:06 xenon systemd[1]: kdump.service: Unit entered failed state.
feb 15 09:16:06 xenon systemd[1]: kdump.service: Failed with result 'exit-code'.
feb 15 09:16:06 xenon kdumpctl[1533]: Cannot open `/boot/vmlinuz-4.3.5-300.fc23.x86_64': Permission denied
feb 15 09:16:06 xenon kdumpctl[1533]: kexec: failed to load kdump kernel
feb 15 09:16:06 xenon kdumpctl[1533]: Starting kdump: [FAILED]


[root@xenon ~]# restorecon -Frv /boot
restorecon reset /boot/.vmlinuz.hmac-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0
restorecon reset /boot/config-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0
restorecon reset /boot/initramfs-4.3.5-300.fc23.x86_64.img context unconfined_u:object_r:boot_t:s0->system_u:object_r:boot_t:s0
restorecon reset /boot/vmlinuz-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0
restorecon reset /boot/.vmlinuz.hmac-4.3.3-301.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:boot_t:s0
restorecon reset /boot/System.map-4.3.5-300.fc23.x86_64 context system_u:object_r:modules_object_t:s0->system_u:object_r:system_map_t:s0
Comment 1 Lukas Vrabec 2016-08-18 11:33:27 UTC 
Can you still reproduce this issue?
Comment 2 Lukas Vrabec 2016-08-18 11:35:27 UTC 
*** Bug 1306010 has been marked as a duplicate of this bug. ***
Comment 3 Juan Orti 2016-08-18 12:28:35 UTC 
This issue is fixed, the new kernels are installed with boot_t label, although I'm still unable to use kdump because of bug 1357949

[root@xenon ~]# ls -laZ /boot/
total 310437
dr-xr-xr-x.  6 root root system_u:object_r:boot_t:s0           1024 ago 17 12:31 .
dr-xr-xr-x. 19 root root system_u:object_r:root_t:s0           4096 ago 17 16:15 ..
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0         175031 jun 24 23:05 config-4.6.3-300.fc24.x86_64
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0         175136 jul 12 14:06 config-4.6.4-301.fc24.x86_64
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0         175125 ago 10 23:24 config-4.6.6-300.fc24.x86_64
drwx------.  5 root root system_u:object_r:dosfs_t:s0         16384 ene  1  1970 efi
drwxr-xr-x.  2 root root system_u:object_r:boot_t:s0           3072 jun 14 15:21 extlinux
drwxr-xr-x.  3 root root system_u:object_r:boot_t:s0           1024 jul 28 11:28 grub2
-rw-------.  1 root root system_u:object_r:boot_t:s0       52620296 jun 14 19:26 initramfs-0-rescue-6f4deefdde164f4aaedc1e6268b12281.img
-rw-------.  1 root root system_u:object_r:boot_t:s0       23078948 jun 30 17:32 initramfs-4.5.7-300.fc24.x86_64kdump.img
-rw-------.  1 root root system_u:object_r:boot_t:s0       52871745 jul 12 11:03 initramfs-4.6.3-300.fc24.x86_64.img
-rw-------.  1 root root system_u:object_r:boot_t:s0       23106441 jul 11 15:38 initramfs-4.6.3-300.fc24.x86_64kdump.img
-rw-------.  1 root root system_u:object_r:boot_t:s0       52871809 jul 20 16:22 initramfs-4.6.4-301.fc24.x86_64.img
-rw-------.  1 root root system_u:object_r:boot_t:s0       23107966 jul 20 17:42 initramfs-4.6.4-301.fc24.x86_64kdump.img
-rw-------.  1 root root unconfined_u:object_r:boot_t:s0   52888525 ago 17 12:31 initramfs-4.6.6-300.fc24.x86_64.img
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0         561684 may  4 05:52 initrd-plymouth.img
drwx------.  2 root root system_u:object_r:lost_found_t:s0    12288 jun 14 19:20 lost+found
-rw-------.  1 root root system_u:object_r:system_map_t:s0  3333457 jun 24 23:05 System.map-4.6.3-300.fc24.x86_64
-rw-------.  1 root root system_u:object_r:system_map_t:s0  3336903 jul 12 14:06 System.map-4.6.4-301.fc24.x86_64
-rw-------.  1 root root system_u:object_r:system_map_t:s0  3337575 ago 10 23:24 System.map-4.6.6-300.fc24.x86_64
-rwxr-xr-x.  1 root root system_u:object_r:boot_t:s0        6277560 jun 14 19:26 vmlinuz-0-rescue-6f4deefdde164f4aaedc1e6268b12281
-rwxr-xr-x.  1 root root system_u:object_r:boot_t:s0        6623528 jun 24 23:05 vmlinuz-4.6.3-300.fc24.x86_64
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0            166 jun 24 23:01 .vmlinuz-4.6.3-300.fc24.x86_64.hmac
-rwxr-xr-x.  1 root root system_u:object_r:boot_t:s0        6634248 jul 12 14:06 vmlinuz-4.6.4-301.fc24.x86_64
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0            166 jul 12 14:00 .vmlinuz-4.6.4-301.fc24.x86_64.hmac
-rwxr-xr-x.  1 root root system_u:object_r:boot_t:s0        6635432 ago 10 23:25 vmlinuz-4.6.6-300.fc24.x86_64
-rw-r--r--.  1 root root system_u:object_r:boot_t:s0            166 ago 10 23:20 .vmlinuz-4.6.6-300.fc24.x86_64.hmac
Comment 4 Lukas Vrabec 2016-08-18 12:31:21 UTC 
*** Bug 1313432 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2016-08-18 12:35:05 UTC 
According to Comment#3 closing this issue .
Note You need to log in before you can comment on or make changes to this bug.