1766799 – SELinux prevents kexec from running during reboot

Bug 1766799 - SELinux prevents kexec from running during reboot

Summary: SELinux prevents kexec from running during reboot

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-10-29 22:35 UTC by Scott Shambarger
Modified:	2019-12-11 01:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-3.14.3-53.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-12-05 08:34:52 UTC
Type:	Bug
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Scott Shambarger 2019-10-29 22:35:49 UTC

Description of problem:
I've been unable to systemctl kexec for awhile, and finally tracked down the problem to SELinux.

With SELinux enabled, kexec fails and falls back to regular reboot...

Setting up a serial console, and capturing the AVC denials at shutdown I found that kexec is not run ("Permission denied"), denials are:

audit: type=1400 audit(1572386693.542:329): avc:  denied  { nosuid_transition } for  pid=2013 comm="shutdown" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=process2 permissive=1
sd 1:0:0:0: [sdb] Synchronizing SCSI cache
audit: type=1400 audit(1572386693.553:330): avc:  denied  { create } for  pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1
audit: type=1400 audit(1572386693.553:331): avc:  denied  { create } for  pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1

# These required running with the perms above in policy...
audit: type=1400 audit(1572386892.384:322): avc:  denied  { bind } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1
audit: type=1400 audit(1572386892.384:323): avc:  denied  { getattr } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1
audit: type=1400 audit(1572386892.384:324): avc:  denied  { nlmsg_read } for  pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1

# And again, after the above were added....
audit: type=1400 audit(1572387315.204:321): avc:  denied  { ioctl } for  pid=1847 comm="kexec" path="socket:[31645]" dev="sockfs" ino=31645 ioctlcmd=0x8913 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-46.fc30.noarch

How reproducible:
Anytime systemctl kexec is run with SELinux in enforcing mode.

Steps to Reproduce:
1. SELinux enforcing
2. load kernel
3. run systemctl kexec

Actual results:
System reboots normally via EFI or BIOS

Expected results:
Kernel should boot directly

Additional info:

Adding the following policy results in no denials on reboot (related to kexec, there's other open issues like Bug #1656430):

policy_module(myinit,0.1.0)

require {
        type init_t, kdump_t;
};

# allow kexec to run
allow init_t kdump_t:process2 nosuid_transition;
allow kdump_t self:udp_socket { create ioctl };
allow kdump_t self:netlink_route_socket { create bind getattr nlmsg_read };

This appears to be an issue going back several releases....

Comment 1 Lukas Vrabec 2019-10-30 09:25:57 UTC

Fixed in Fedora 30+ 

commit 8ccc1cb000fb1b478245509dff2aa9f3a5acf673 (HEAD -> rawhide)
Author: Lukas Vrabec <lvrabec@redhat.com>
Date:   Wed Oct 30 10:24:12 2019 +0100

    Allow kdump_t domain to create netlink_route and udp sockets
    
    Resolves: rhbz#1766799

Comment 2 Fedora Update System 2019-12-04 07:50:37 UTC

FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 3 Fedora Update System 2019-12-05 02:00:58 UTC

selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 4 Scott Shambarger 2019-12-05 08:34:52 UTC

Tested on F31, selinux-policy-3.14.4-40.fc31.noarch fixes kexec!

Thanks.

Comment 5 Fedora Update System 2019-12-06 19:20:55 UTC

FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 6 Fedora Update System 2019-12-07 02:18:01 UTC

container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185

Comment 7 Fedora Update System 2019-12-11 01:32:18 UTC

container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.