Bug 1951323 - SELinux is preventing kexec from read access on the file initramfs-5.10.19-200.fc33.x86_64kdump.img
Summary: SELinux is preventing kexec from read access on the file initramfs-5.10.19-20...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 33
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-04-19 21:44 UTC by Kelvin Fan
Modified: 2021-06-23 07:27 UTC (History)
11 users (show)

Fixed In Version: selinux-policy-3.14.6-38.fc33
Clone Of:
Environment:
Last Closed: 2021-06-16 01:07:20 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Kelvin Fan 2021-04-19 21:44:59 UTC 
Description of problem:
SELinux is preventing kdump from loading its generated initrd if `kdump` places its generated initrd in `/var/lib/kdump`, as may soon be the case for when `kdump` cannot place its generated initrd in the usual `/boot` on systems where `/boot` is mounted read-only, such as Fedora/RHEL CoreOS.
The default SELinux policies for `kdump`/`kexec` may need to be modified to address this.

The following is the `sealert` output from a build of Fedora CoreOS (which has `/boot` read-only) after `kdump` attempts to load the `kdump`-generated initrd placed at `/var/lib/kdump`:
```
SELinux is preventing kexec from read access on the file initramfs-5.10.19-200.fc33.x86_64kdump.img.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow kexec to have read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file
Then you need to change the label on initramfs-5.10.19-200.fc33.x86_64kdump.img
Do
# semanage fcontext -a -t FILE_TYPE 'initramfs-5.10.19-200.fc33.x86_64kdump.img'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, al.
Then execute:
restorecon -v 'initramfs-5.10.19-200.fc33.x86_64kdump.img'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that kexec should be allowed read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kexec' --raw | audit2allow -M my-kexec
# semodule -X 300 -i my-kexec.pp


Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                initramfs-5.10.19-200.fc33.x86_64kdump.img [ file
                              ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cosa-devsh
Platform                      Linux cosa-devsh 5.10.19-200.fc33.x86_64 #1 SMP
                              Fri Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-04-19 21:27:43 UTC
Last Seen                     2021-04-19 21:33:04 UTC
Local ID                      5ec95c86-81bf-4add-be38-5b46ac9fe88c

Raw Audit Messages
type=AVC msg=audit(1618867984.25:148): avc:  denied  { read } for  pid=1188 comm="kexec" name="initramfs-5.10.19-200.fc33.x86_64kdump.img" dev="vda4" ino=23069869 scontext=system_u:system_r:0


Hash: kexec,kdump_t,var_lib_t,file,read
```
Comment 1 Zdenek Pytela 2021-05-10 19:34:38 UTC 
I've submitted a draft Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/732

This commit assigned a new type to files in /var/lib/kdump.

Kairui Song, do you happen to know which additional system services need the access, either read or write, to /var/lib/kdump/initramfs* image files?
Comment 2 Kairui Song 2021-05-13 06:13:10 UTC 
Hi, currently there are two services that need rw access to /var/lib/kdump/initramfs* image files. One is kdump.service, another is when dnf updates kernel package, a kernel install hook "/lib/kernel/install.d/60-kdump.install" will get triggered and delete unused images.
Comment 3 Zdenek Pytela 2021-05-13 17:53:52 UTC 
(In reply to Kairui Song from comment #2)
> Hi, currently there are two services that need rw access to
> /var/lib/kdump/initramfs* image files. One is kdump.service, another is when
> dnf updates kernel package, a kernel install hook
> "/lib/kernel/install.d/60-kdump.install" will get triggered and delete
> unused images.
Thank you, I've updated the PR accordingly and undrafted it.
Comment 4 Fedora Update System 2021-05-31 18:33:16 UTC 
FEDORA-2021-e2de9e9e55 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55
Comment 5 Fedora Update System 2021-06-01 00:59:38 UTC 
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e2de9e9e55`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e2de9e9e55

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Fedora Update System 2021-06-16 01:07:20 UTC 
FEDORA-2021-e2de9e9e55 has been pushed to the Fedora 33 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.