Description of problem: I've been unable to systemctl kexec for awhile, and finally tracked down the problem to SELinux. With SELinux enabled, kexec fails and falls back to regular reboot... Setting up a serial console, and capturing the AVC denials at shutdown I found that kexec is not run ("Permission denied"), denials are: audit: type=1400 audit(1572386693.542:329): avc: denied { nosuid_transition } for pid=2013 comm="shutdown" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=process2 permissive=1 sd 1:0:0:0: [sdb] Synchronizing SCSI cache audit: type=1400 audit(1572386693.553:330): avc: denied { create } for pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1 audit: type=1400 audit(1572386693.553:331): avc: denied { create } for pid=2013 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1 # These required running with the perms above in policy... audit: type=1400 audit(1572386892.384:322): avc: denied { bind } for pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1 audit: type=1400 audit(1572386892.384:323): avc: denied { getattr } for pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1 audit: type=1400 audit(1572386892.384:324): avc: denied { nlmsg_read } for pid=1891 comm="kexec" scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=netlink_route_socket permissive=1 # And again, after the above were added.... audit: type=1400 audit(1572387315.204:321): avc: denied { ioctl } for pid=1847 comm="kexec" path="socket:[31645]" dev="sockfs" ino=31645 ioctlcmd=0x8913 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=udp_socket permissive=1 Version-Release number of selected component (if applicable): selinux-policy-3.14.3-46.fc30.noarch How reproducible: Anytime systemctl kexec is run with SELinux in enforcing mode. Steps to Reproduce: 1. SELinux enforcing 2. load kernel 3. run systemctl kexec Actual results: System reboots normally via EFI or BIOS Expected results: Kernel should boot directly Additional info: Adding the following policy results in no denials on reboot (related to kexec, there's other open issues like Bug #1656430): policy_module(myinit,0.1.0) require { type init_t, kdump_t; }; # allow kexec to run allow init_t kdump_t:process2 nosuid_transition; allow kdump_t self:udp_socket { create ioctl }; allow kdump_t self:netlink_route_socket { create bind getattr nlmsg_read }; This appears to be an issue going back several releases....
Fixed in Fedora 30+ commit 8ccc1cb000fb1b478245509dff2aa9f3a5acf673 (HEAD -> rawhide) Author: Lukas Vrabec <lvrabec> Date: Wed Oct 30 10:24:12 2019 +0100 Allow kdump_t domain to create netlink_route and udp sockets Resolves: rhbz#1766799
FEDORA-2019-e9d8868185 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
Tested on F31, selinux-policy-3.14.4-40.fc31.noarch fixes kexec! Thanks.
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9d8868185
container-selinux-2.123.0-2.fc30, selinux-policy-3.14.3-53.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.