Description of problem: I've configured and enabled the kdump service to load a crash kernel, but the service fails to start on boot due to SELinux denials. time->Thu Feb 18 08:54:21 2016 type=PROCTITLE msg=audit(1455782061.550:508): proctitle=2F7362696E2F6B65786563002D70002D2D636F6D6D616E642D6C696E653D424F4F545F494D4147453D2F766D6C696E757A2D342E332E352D3330302E666332332E7838365F363420726F6F743D2F6465762F6D61707065722F76675F6C7563696665722D726F6F7420726F2072642E6C766D2E6C763D76675F6C756369666572 type=SYSCALL msg=audit(1455782061.550:508): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd67b29f64 a1=0 a2=7ffd67b28c80 a3=697 items=0 ppid=1594 pid=2816 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null) type=AVC msg=audit(1455782061.550:508): avc: denied { read } for pid=2816 comm="kexec" name="vmlinuz-4.3.5-300.fc23.x86_64" dev="md127" ino=29 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0 Version-Release number of selected component (if applicable): selinux-policy-targeted-3.13.1-158.6.fc23.noarch kexec-tools-2.0.10-4.fc23.x86_64 How reproducible: Always Steps to Reproduce: 1. Enable the kdump service and add crashkernel=128M to the kernel command line 2. reboot 3. watch kdump.service status 4. run 'ausearch -m avc' Actual results: SELinux denials logged, kdump failed to arm the crash kernel Expected results: No SELinux denials and crash kernel loaded Additional info:
https://github.com/fedora-selinux/selinux-policy/issues/49
https://github.com/fedora-selinux/selinux-policy/commit/4a46ba026def002f8caec30af8dae2c3b177ce98
selinux-policy-3.13.1-158.9.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ffbae3a870
selinux-policy-3.13.1-158.9.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.