Bug 1356456 - kexec-tools: kdump service start fails due to AVC deny
Summary: kexec-tools: kdump service start fails due to AVC deny
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 24
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1311534 (view as bug list)
Depends On:
Blocks: 1357762
TreeView+ depends on / blocked
 
Reported: 2016-07-14 07:42 UTC by xiaoli feng
Modified: 2017-02-02 20:50 UTC (History)
14 users (show)

Fixed In Version: selinux-policy-3.13.1-191.24.fc24
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1357762 (view as bug list)
Environment:
Last Closed: 2017-02-02 20:50:38 UTC


Attachments (Terms of Use)

Description xiaoli feng 2016-07-14 07:42:35 UTC
Description of problem:
From the kdumpctl help document, the kdumpctl start can start kdump service. But actually it doesn't start kdump service.


Version-Release number of selected component (if applicable):

4.6.3-300.fc24.ppc64

How reproducible:

100%
Steps to Reproduce:
1.systemctl stop kdump
2.kdumpctl start or restart
3.check if kdump service start

Actual results:
kdump service doesn't start after kdumpctl start

Expected results:

kdump service start after kdumpctl start.
Additional info:

Comment 1 Dave Young 2016-07-22 08:34:11 UTC
[root@localhost ~]# cat /proc/iomem|grep Crash
  25000000-34ffffff : Crash kernel

[root@localhost ~]# systemctl enable kdump
Created symlink from /etc/systemd/system/multi-user.target.wants/kdump.service to /usr/lib/systemd/system/kdump.service.
[root@localhost ~]# systemctl stop kdump
[root@localhost ~]# systemctl start kdump
[root@localhost ~]# kdumpctl status
Kdump is operational

I can not reproduce in a fresh installed Fedora vm...

Comment 2 xiaoli feng 2016-08-02 01:18:45 UTC
Sorry, I miss the message. The cmd "kdumpctl status" show it work. But the cmd "systemctl status kdump" show it started failed. I think the cmd "kdumpctl start kdump" doesn't update the systemd status.

Comment 3 Dave Young 2016-08-03 09:34:46 UTC
I guess it is caused by access denying like below:

Aug  3 17:20:39 localhost audit: AVC avc:  denied  { sys_admin } for  pid=2120 c
omm="kexec" capability=21  scontext=system_u:system_r:kdump_t:s0 tcontext=system
_u:system_r:kdump_t:s0 tclass=capability permissive=0
:
omm="kexec" capability=21  scontext=system_u:system_r:kdump_t:s0 tcontext=system
_u:system_r:kdump_t:s0 tclass=capability permissive=0
Aug  3 17:20:39 localhost audit: AVC avc:  denied  { sys_admin } for  pid=2120 c
omm="kexec" capability=21  scontext=system_u:system_r:kdump_t:s0 tcontext=system
_u:system_r:kdump_t:s0 tclass=capability permissive=0
Aug  3 17:20:39 localhost audit: AVC avc:  denied  { sys_admin } for  pid=2120 c
omm="kexec" capability=21  scontext=system_u:system_r:kdump_t:s0 tcontext=system
_u:system_r:kdump_t:s0 tclass=capability permissive=0

We need help from selinux team..

Comment 4 Dave Young 2016-08-09 05:52:06 UTC
Hi,

I think I misunderstood the bug report, it should be not a bug because kdumpctl is for internal use, one should use systemctl to start/stop kdump service.

But I did see a rawhide bug in comment #3, systemctl start kdump failed as I said in comment #3. So let's use this bug for issues in comment #3

Thanks
Dave

Comment 5 Fedora Update System 2016-08-11 11:55:46 UTC
selinux-policy-3.13.1-191.10.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-2c8a3e08c6

Comment 6 Lukas Vrabec 2016-08-11 11:57:26 UTC
Moving back to NEW state. I added wrong BZ ID to bodhi.

Comment 7 Joseph D. Wagner 2016-10-01 03:03:11 UTC
SELinux is preventing restorecon from write access on the fifo_file /var/tmp/dracut.94mpiI/systemd-cat.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that restorecon should be allowed write access on the systemd-cat fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'restorecon' --raw | audit2allow -M my-restorecon
# semodule -X 300 -i my-restorecon.pp

Additional Information:
Source Context                system_u:system_r:setfiles_t:s0
Target Context                system_u:object_r:kdumpctl_tmp_t:s0
Target Objects                /var/tmp/dracut.94mpiI/systemd-cat [ fifo_file ]
Source                        restorecon
Source Path                   restorecon
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.16.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 4.7.4-200.fc24.x86_64
                              #1 SMP Thu Sep 15 18:42:09 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-09-30 19:58:52 PDT
Last Seen                     2016-09-30 19:58:52 PDT
Local ID                      72bac7b2-3fe9-47de-9382-118844efb7a9

Raw Audit Messages
type=AVC msg=audit(1475290732.714:224): avc:  denied  { write } for  pid=21528 comm="restorecon" path="/var/tmp/dracut.94mpiI/systemd-cat" dev="dm-1" ino=6818526 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:kdumpctl_tmp_t:s0 tclass=fifo_file permissive=0


Hash: restorecon,setfiles_t,kdumpctl_tmp_t,fifo_file,write

Comment 8 Joseph D. Wagner 2016-10-01 03:04:31 UTC
In case it wasn't clear, the denial I just posted was received while starting the kdump service.

Comment 9 Paul DeStefano 2017-01-02 02:39:45 UTC
I think I just ran into this on F25.  Any update?  I'm really hoping kdump will help me.

Comment 10 Lukas Vrabec 2017-01-08 20:29:13 UTC
*** Bug 1311534 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2017-01-09 14:02:53 UTC
selinux-policy-3.13.1-191.24.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 12 Fedora Update System 2017-01-10 03:23:29 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-7585703fbe

Comment 13 Fedora Update System 2017-02-02 20:50:38 UTC
selinux-policy-3.13.1-191.24.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.