1536991 – RHEL Atomic 7.4.3 breaks kdump due to SELinux denial for reading kernel image

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1536991 - RHEL Atomic 7.4.3 breaks kdump due to SELinux denial for reading kernel image

Summary: RHEL Atomic 7.4.3 breaks kdump due to SELinux denial for reading kernel image

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rhel-server-atomic
Sub Component:
Version:	7.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Colin Walters
QA Contact:	atomic-bugs@redhat.com
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-22 08:43 UTC by Martin Pitt
Modified:	2018-04-11 00:00 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-11 00:00:22 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2018:1067	0	None	None	None	2018-04-11 00:00:37 UTC

Description Martin Pitt 2018-01-22 08:43:58 UTC

Description of problem: kdump stops working after upgrading RHEL Atomic 7.4.2 to 7.4.3.

This got caught by Cockpit's integration tests (https://github.com/cockpit-project/cockpit/pull/8459).


Version-Release number of selected component (if applicable):

works:
  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.2 (2017-10-17 02:47:56)
                    Commit: 2eceacd73c4de494ff3f90448467934614cf9f72cb316693db2cad47bd79015e

fails:
  rhel-atomic-host-ostree:rhel-atomic-host/7/x86_64/standard
                   Version: 7.4.3-1 (2018-01-04 17:38:17)
                    Commit: 83350a7fb3a3ebd09c5996eec5ec8307f61bbb463b999bdfece223288927a60f


How reproducible: Always


Steps to Reproduce:
1. Enable kdump (otherwise kdump.service fails with "No memory reserved for crash kernel"):
   # sed -i 's/crashkernel=auto/crashkernel=256M/' /boot/grub2/grub.cfg
2. # reboot
3. # systemctl status -l kdump.service

Actual results:

● kdump.service - Crash recovery kernel arming
   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2018-01-22 08:17:30 UTC; 25min ago
  Process: 948 ExecStart=/usr/bin/kdumpctl start (code=exited, status=1/FAILURE)
 Main PID: 948 (code=exited, status=1/FAILURE)

Jan 22 08:17:29 m1 dracut[2282]: lrwxrwxrwx   1 root     root            6 Jan 22 08:17 var/run -> ../run
Jan 22 08:17:29 m1 dracut[2282]: ========================================================================
Jan 22 08:17:29 m1 dracut[2282]: *** Creating initramfs image file '/boot/ostree/rhel-atomic-host-00cf92f003e95f6267ab6e294f89a4802c610df4b5cb9c1aa1051233a9832c61/initramfs-3.10.0-693.11.6.el7.x86_64kdump.img' done ***
Jan 22 08:17:30 m1 kdumpctl[948]: Cannot open `/boot/ostree/rhel-atomic-host-00cf92f003e95f6267ab6e294f89a4802c610df4b5cb9c1aa1051233a9832c61/vmlinuz-3.10.0-693.11.6.el7.x86_64': Permission denied
Jan 22 08:17:30 m1 kdumpctl[948]: kexec: failed to load kdump kernel
Jan 22 08:17:30 m1 kdumpctl[948]: Starting kdump: [FAILED]



Expected results:

● kdump.service - Crash recovery kernel arming
   Loaded: loaded (/usr/lib/systemd/system/kdump.service; enabled; vendor preset: enabled)
   Active: active (exited) since Mon 2018-01-22 08:17:25 UTC; 22s ago
  Process: 914 ExecStart=/usr/bin/kdumpctl start (code=exited, status=0/SUCCESS)
 Main PID: 914 (code=exited, status=0/SUCCESS)

Jan 22 08:17:24 m1 dracut[2246]: -rw-r--r--   1 root     root          118 Jan  1  1970 usr/share/zoneinfo/Etc/UTC
Jan 22 08:17:24 m1 dracut[2246]: drwxr-xr-x   3 root     root            0 Jan 22 08:17 var
Jan 22 08:17:24 m1 dracut[2246]: lrwxrwxrwx   1 root     root           11 Jan 22 08:17 var/lock -> ../run/lock
Jan 22 08:17:24 m1 dracut[2246]: drwx------   2 root     root            0 Jan 22 08:17 var/roothome
Jan 22 08:17:24 m1 dracut[2246]: lrwxrwxrwx   1 root     root            6 Jan 22 08:17 var/run -> ../run
Jan 22 08:17:24 m1 dracut[2246]: ========================================================================
Jan 22 08:17:24 m1 dracut[2246]: *** Creating initramfs image file '/boot/ostree/rhel-atomic-host-5144fc202f72607b451b716922fb1f577edc788c1ee701fa22b3084f5e429f04/initramfs-3.10.0-693.5.2.el7.x86_64kdump.img' done ***
Jan 22 08:17:25 m1 kdumpctl[914]: kexec: loaded kdump kernel
Jan 22 08:17:25 m1 kdumpctl[914]: Starting kdump: [OK]


Additional info:

This seems to be a new SELinux denial. dmesg shows:

[   41.799447] type=1400 audit(1516609050.138:5): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
[   41.803531] type=1400 audit(1516609050.143:6): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file
[   41.807244] type=1400 audit(1516609050.147:7): avc:  denied  { read } for  pid=13056 comm="kexec" name="vmlinuz-3.10.0-693.11.6.el7.x86_64" dev="vda1" ino=786497 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file

Comment 3 Colin Walters 2018-01-22 14:42:00 UTC

This is probably related to https://github.com/projectatomic/rpm-ostree/pull/959

See also: https://github.com/projectatomic/rpm-ostree/issues/990

Comment 4 Colin Walters 2018-02-02 18:48:52 UTC

https://github.com/ostreedev/ostree/pull/1444

Comment 8 errata-xmlrpc 2018-04-11 00:00:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1067

Note You need to log in before you can comment on or make changes to this bug.