RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1411331 - abrt-harvest-vmcore can't read the kernel crash
Summary: abrt-harvest-vmcore can't read the kernel crash
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-09 13:53 UTC by Frank Büttner
Modified: 2022-01-05 13:43 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-02 20:09:42 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Frank Büttner 2017-01-09 13:53:36 UTC 
Description of problem:
When the kernel was crashed after the reboot abrt-harvest-vmcore can't  read the crash.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Let the kernel crash
2. wait for reboot


Actual results:
At the reboot abrt-harvest-vmcore can't read the crash dump directory.

Expected results:
abrt-harvest-vmcore can analyse the crash.


Additional info:
systemd:
abrt-harvest-vmcore[2383]: VMCore dir '/var/crash/127.0.0.1-2017-01-09-14:38:37' not accessible.

audit:
type=AVC msg=audit(1483969178.342:65): avc:  denied  { read } for  pid=2383 comm="abrt-harvest-vm" name="127.0.0.1-2017-01-09-14:38:37" dev="dm-5" ino=3201 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1483969178.342:65): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=1627890 a2=90800 a3=0 items=0 ppid=1 pid=2383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-harvest-vm" exe="/usr/bin/python2.7" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)
Comment 2 Lukas Vrabec 2017-01-10 23:34:05 UTC 
Hi Frank,
Did you booted with SELinux disabled and then turned SELinux in enforcing mode again? 

Could you please run following command:
# restorecon -R / 

Then try to repeat the scenario? 

Thanks.
Comment 3 Frank Büttner 2017-01-12 08:13:26 UTC 
Selinux was never disabled on this system.
before restorecon -R / :
ll -Z /var/ 
drwxr-xr-x. root      root          system_u:object_r:kdump_crash_t:s0 crash
after:
drwxr-xr-x. root      root          system_u:object_r:kdump_crash_t:s0 crash
trigger an kernel panic:
abrt-harvest-vmcore[2438]: VMCore dir '/var/crash/127.0.0.1-2017-01-12-09:03:13' not accessible.

But what I can see is:
ll -Z /var/crash/
drwxr-xr-x. root root system_u:object_r:kdump_crash_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0       ..
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 127.0.0.1-2017-01-12-09:03:13

that the crash directory itself has an different context.  


restorecon -R /var/crash/
systemctl restart abrt-vmcore
systemctl reboot
Now the crash are recognized:
systemd[1]: Starting Harvest vmcores for ABRT...
systemd[1]: Started Harvest vmcores for ABRT.
abrt-dump-oops[2410]: Found oopses: 1
abrt-dump-oops[2410]: Updating problem directory
Comment 5 Milos Malik 2017-08-17 11:17:45 UTC 
Hi Martin, could you help us to reproduce the issue? We need to know the SELinux labels of directories inside /var/crash directory.

# setenforce 0
# ls -Z /var/crash

It seems that /var/crash/127.0.0.1-2017-01-12-09:03:13 was created with an invalid SELinux label.
Comment 6 Lukas Vrabec 2017-10-12 12:17:45 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 7 Lukas Vrabec 2017-10-12 12:20:53 UTC 
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.
Comment 8 Frank Büttner 2021-01-07 11:35:34 UTC 
The same will happens on RHEL 8.3. :(
Comment 11 Zdenek Pytela 2021-01-07 13:15:20 UTC 
Frank,

Could you provide more details on your setup? Namely about /var/crash: is it a separate filesystem? Are there some special conditions to trigger the denial in addition to the bz description?

mount
ls -laZ /var/crash
ausearch -i -m avc,user_avc -ts boot
restorecon -Rvn /var/crash
(will not change any label)
Comment 12 Frank Büttner 2021-01-07 15:42:02 UTC 
I have tried both scenarios, /var/crash on the / and on an separate file system. But the result is the same.
But after some testing it looks like the bad guy it the kernel dumper itself, because when I create an test directory via mkdir /var/crash/foo, then /var/crash/foo will have the right context.
Only the when the subdirectory directory is created by an kernel crash, then it will have the wrong context. For testing I trigger kernel crash via:
echo 1 > /proc/sys/kernel/sysrq 
echo c > /proc/sysrq-trigger
Comment 13 Zdenek Pytela 2021-06-02 20:09:42 UTC 
This issue was not selected to be included in Red Hat Enterprise Linux 8 because it is seen either as low or moderate impact to a small number of use cases.

That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.
Note You need to log in before you can comment on or make changes to this bug.