Description of problem: SELinux is preventing kexec from using the 'sys_admin' capabilities. ***** Plugin catchall (100. confidence) suggests ************************** If cree que kexec debería tener la capacidad sys_admin de forma predeterminada. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do allow this access for now by executing: # ausearch -c 'kexec' --raw | audit2allow -M my-kexec # semodule -X 300 -i my-kexec.pp Additional Information: Source Context system_u:system_r:kdump_t:s0 Target Context system_u:system_r:kdump_t:s0 Target Objects Unknown [ capability ] Source kexec Source Path kexec Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-191.5.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.6.3-300.fc24.x86_64 #1 SMP Fri Jun 24 20:52:41 UTC 2016 x86_64 x86_64 Alert Count 747 First Seen 2016-07-19 14:21:11 CEST Last Seen 2016-07-19 17:49:29 CEST Local ID 8e77b924-91b8-4d19-93ea-870e94f40059 Raw Audit Messages type=AVC msg=audit(1468943369.762:503): avc: denied { sys_admin } for pid=3161 comm="kexec" capability=21 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=capability permissive=0 Hash: kexec,kdump_t,kdump_t,capability,sys_admin Version-Release number of selected component: selinux-policy-3.13.1-191.5.fc24.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.6.3-300.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
Description of problem: normal system startup, though it's a system I have upgraded since Fedora 18, so there may be some leftovers Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport
Description of problem: systemctl start kdump.service Version-Release number of selected component: selinux-policy-3.13.1-191.5.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport
Also on F23. Seems like a regression though I don't know what changed to cause it, kexec-tools hasn't been updated since upgrading to F23. Maybe a kernel update? selinux-policy-targeted-3.13.1-158.21.fc23.noarch kexec-tools-2.0.10-10.fc23.x86_64 kernel-4.6.4-201.fc23.x86_64 (MAYBE GOOD?) kernel-4.6.6-200.fc23.x86_64
kernel-4.5.7-202.fc23.x86_64 GOOD kernel-4.6.4-201.fc23.x86_64 BAD Checked old "journal -b" and confirmed by booting into kernel-4.5.7-202.fc23.x86_64. So it's likely some kernel change that is causing kexec to hit an SElinux denial. Any ideas?
Hi, One possible commit is in 4.6.0 /proc/iomem can only be read by process with CAP_SYS_ADMIN, so for non-root users they can not see it. Linus said no need worry about fine grained capabilities, that means kexec run as root so it should be ok. Upstream commit: commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4 Author: Linus Torvalds <torvalds> Date: Thu Apr 14 12:05:37 2016 -0700 /proc/iomem: only expose physical resource addresses to privileged users In commit c4004b02f8e5b ("x86: remove the kernel code/data/bss resources from /proc/iomem") I was hoping to remove the phyiscal kernel address data from /proc/iomem entirely, but that had to be reverted because some system programs actually use it. This limits all the detailed resource information to properly credentialed users instead. Signed-off-by: Linus Torvalds <torvalds> Thanks Dave
Looks like we should just add a dontaudit rules. Or does kdump actually need to read this?
Daniel, do you means kexec run with root still lacks SYS_ADMIN capabilities? If so add a rule should be necessary because kexec-tools depend on reading /proc/iomem in its source code.
Ok if it depends on that then it needs sys_admin so we need to add the rule.
*** Bug 1372796 has been marked as a duplicate of this bug. ***
selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6
selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.