Bug 1411331 - abrt-harvest-vmcore can't read the kernel crash
Summary: abrt-harvest-vmcore can't read the kernel crash
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-09 13:53 UTC by Frank Büttner
Modified: 2022-01-05 13:43 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-02 20:09:42 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)

Description Frank Büttner 2017-01-09 13:53:36 UTC
Description of problem:
When the kernel was crashed after the reboot abrt-harvest-vmcore can't  read the crash.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-102.el7_3.7.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Let the kernel crash
2. wait for reboot


Actual results:
At the reboot abrt-harvest-vmcore can't read the crash dump directory.

Expected results:
abrt-harvest-vmcore can analyse the crash.


Additional info:
systemd:
abrt-harvest-vmcore[2383]: VMCore dir '/var/crash/127.0.0.1-2017-01-09-14:38:37' not accessible.

audit:
type=AVC msg=audit(1483969178.342:65): avc:  denied  { read } for  pid=2383 comm="abrt-harvest-vm" name="127.0.0.1-2017-01-09-14:38:37" dev="dm-5" ino=3201 scontext=system_u:system_r:abrt_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir
type=SYSCALL msg=audit(1483969178.342:65): arch=c000003e syscall=257 success=no exit=-13 a0=ffffffffffffff9c a1=1627890 a2=90800 a3=0 items=0 ppid=1 pid=2383 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="abrt-harvest-vm" exe="/usr/bin/python2.7" subj=system_u:system_r:abrt_t:s0-s0:c0.c1023 key=(null)

Comment 2 Lukas Vrabec 2017-01-10 23:34:05 UTC
Hi Frank,
Did you booted with SELinux disabled and then turned SELinux in enforcing mode again? 

Could you please run following command:
# restorecon -R / 

Then try to repeat the scenario? 

Thanks.

Comment 3 Frank Büttner 2017-01-12 08:13:26 UTC
Selinux was never disabled on this system.
before restorecon -R / :
ll -Z /var/ 
drwxr-xr-x. root      root          system_u:object_r:kdump_crash_t:s0 crash
after:
drwxr-xr-x. root      root          system_u:object_r:kdump_crash_t:s0 crash
trigger an kernel panic:
abrt-harvest-vmcore[2438]: VMCore dir '/var/crash/127.0.0.1-2017-01-12-09:03:13' not accessible.

But what I can see is:
ll -Z /var/crash/
drwxr-xr-x. root root system_u:object_r:kdump_crash_t:s0 .
drwxr-xr-x. root root system_u:object_r:var_t:s0       ..
drwxr-xr-x. root root system_u:object_r:unlabeled_t:s0 127.0.0.1-2017-01-12-09:03:13

that the crash directory itself has an different context.  


restorecon -R /var/crash/
systemctl restart abrt-vmcore
systemctl reboot
Now the crash are recognized:
systemd[1]: Starting Harvest vmcores for ABRT...
systemd[1]: Started Harvest vmcores for ABRT.
abrt-dump-oops[2410]: Found oopses: 1
abrt-dump-oops[2410]: Updating problem directory

Comment 5 Milos Malik 2017-08-17 11:17:45 UTC
Hi Martin, could you help us to reproduce the issue? We need to know the SELinux labels of directories inside /var/crash directory.

# setenforce 0
# ls -Z /var/crash

It seems that /var/crash/127.0.0.1-2017-01-12-09:03:13 was created with an invalid SELinux label.

Comment 6 Lukas Vrabec 2017-10-12 12:17:45 UTC
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Comment 7 Lukas Vrabec 2017-10-12 12:20:53 UTC
We're going to close this bug as WONTFIX because

 * of limited capacity of selinux-policy developers
 * the bug is related to EPEL component or 3rd party SW only
 * the bug appears in unsupported configuration 

We believe this bug can be fixed via a local policy module.
For more information please see: 

 * https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow

If you disagree, please re-open the bug.

Comment 8 Frank Büttner 2021-01-07 11:35:34 UTC
The same will happens on RHEL 8.3. :(

Comment 11 Zdenek Pytela 2021-01-07 13:15:20 UTC
Frank,

Could you provide more details on your setup? Namely about /var/crash: is it a separate filesystem? Are there some special conditions to trigger the denial in addition to the bz description?

mount
ls -laZ /var/crash
ausearch -i -m avc,user_avc -ts boot
restorecon -Rvn /var/crash
(will not change any label)

Comment 12 Frank Büttner 2021-01-07 15:42:02 UTC
I have tried both scenarios, /var/crash on the / and on an separate file system. But the result is the same.
But after some testing it looks like the bad guy it the kernel dumper itself, because when I create an test directory via mkdir /var/crash/foo, then /var/crash/foo will have the right context.
Only the when the subdirectory directory is created by an kernel crash, then it will have the wrong context. For testing I trigger kernel crash via:
echo 1 > /proc/sys/kernel/sysrq 
echo c > /proc/sysrq-trigger

Comment 13 Zdenek Pytela 2021-06-02 20:09:42 UTC
This issue was not selected to be included in Red Hat Enterprise Linux 8 because it is seen either as low or moderate impact to a small number of use cases.

That being said, this bug tracking system is not a mechanism for requesting support, and we are not able to guarantee the timeliness or suitability of a resolution. If this issue is critical or in any way time sensitive, please raise a ticket through the regular Red Hat support channels to ensure it receives the proper attention and prioritization to assure a timely resolution.


Note You need to log in before you can comment on or make changes to this bug.