RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1965985 - SELinux is preventing kexec from read access on the file /var/lib/kdump/initramfs-*kdump.img
Summary: SELinux is preventing kexec from read access on the file /var/lib/kdump/initr...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: selinux-policy
Version: 8.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: beta
: 8.5
Assignee: Zdenek Pytela
QA Contact: Milos Malik
URL:
Whiteboard:
: 1961728 (view as bug list)
Depends On:
Blocks: 1918499 1976260 1991443 2011878
TreeView+ depends on / blocked
 
Reported: 2021-05-31 10:11 UTC by ltao
Modified: 2021-11-10 08:35 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-3.14.3-71.el8
Doc Type: Enhancement
Doc Text:
Feature: In the new version of the kexec-tools package, kdump checks if the initramfs image can be created in /boot. If the check fails, the /var/lib/kdump directory is used instead to create the initramfs image. Reason: On some operating systems, the /boot directory can be read-only, preventing the initramfs image file from being created in /boot. Result: SELinux supports kdump creating initramfs images in /var/lib/kdump.
Clone Of:
: 1976260 (view as bug list)
Environment:
Last Closed: 2021-11-09 19:43:05 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:4420 0 None None None 2021-11-09 19:43:42 UTC

Internal Links: 1965989

Description ltao 2021-05-31 10:11:40 UTC 
This bug is cloned from bz1951323. On Fedora-Rawhide-20210529.n.0, kdump is working well with selinux-policy[1], may need to back-port it to rhel8.5.

[1] https://github.com/fedora-selinux/selinux-policy/pull/732

Original description of problem:
SELinux is preventing kdump from loading its generated initrd if `kdump` places its generated initrd in `/var/lib/kdump`, as may soon be the case for when `kdump` cannot place its generated initrd in the usual `/boot` on systems where `/boot` is mounted read-only, such as Fedora/RHEL CoreOS.
The default SELinux policies for `kdump`/`kexec` may need to be modified to address this.

The following is the `sealert` output from a build of Fedora CoreOS (which has `/boot` read-only) after `kdump` attempts to load the `kdump`-generated initrd placed at `/var/lib/kdump`:
```
SELinux is preventing kexec from read access on the file initramfs-5.10.19-200.fc33.x86_64kdump.img.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow kexec to have read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file
Then you need to change the label on initramfs-5.10.19-200.fc33.x86_64kdump.img
Do
# semanage fcontext -a -t FILE_TYPE 'initramfs-5.10.19-200.fc33.x86_64kdump.img'
where FILE_TYPE is one of the following: NetworkManager_tmp_t, abrt_helper_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_run_t, admin_crontab_tmp_t, afs_cache_t, al.
Then execute:
restorecon -v 'initramfs-5.10.19-200.fc33.x86_64kdump.img'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that kexec should be allowed read access on the initramfs-5.10.19-200.fc33.x86_64kdump.img file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'kexec' --raw | audit2allow -M my-kexec
# semodule -X 300 -i my-kexec.pp


Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                initramfs-5.10.19-200.fc33.x86_64kdump.img [ file
                              ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.6-36.fc33.noarch
Local Policy RPM              <Unknown>
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     cosa-devsh
Platform                      Linux cosa-devsh 5.10.19-200.fc33.x86_64 #1 SMP
                              Fri Feb 26 16:21:30 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-04-19 21:27:43 UTC
Last Seen                     2021-04-19 21:33:04 UTC
Local ID                      5ec95c86-81bf-4add-be38-5b46ac9fe88c

Raw Audit Messages
type=AVC msg=audit(1618867984.25:148): avc:  denied  { read } for  pid=1188 comm="kexec" name="initramfs-5.10.19-200.fc33.x86_64kdump.img" dev="vda4" ino=23069869 scontext=system_u:system_r:0


Hash: kexec,kdump_t,var_lib_t,file,read
```
Comment 1 Zdenek Pytela 2021-06-02 14:38:10 UTC 
Needs backporting:
commit af7e4b6492b315ee0912aef7f9f2d89a4f681ab6
Author: Zdenek Pytela <zpytela>
Date:   Mon May 10 18:36:26 2021 +0200

    Label /var/lib/kdump with kdump_var_lib_t
    
    The kexec-tools usually create initramfs-KERNELVERSIONkdump.img in /boot.
    On some operating systems, the /boot directory can be read-only,
    preventing the image file from being created. In newer kexec-tools
    package versions, the image files are created in /var/lib/kdump
    in case /boot is read-only.
    
    The kdump_manage_lib_files() interface was created and rpm_script_t
    allowed to manage /var/lib/kdump files. This is needed when the
    /lib/kernel/install.d/60-kdump.install kernel install hook is triggered
    to delete unused images.
    
    Resolves: rhbz#1951323
Comment 2 ltao 2021-06-08 05:49:24 UTC 
(In reply to Zdenek Pytela from comment #1)
> Needs backporting:
> commit af7e4b6492b315ee0912aef7f9f2d89a4f681ab6
> Author: Zdenek Pytela <zpytela>
> Date:   Mon May 10 18:36:26 2021 +0200
> 
>     Label /var/lib/kdump with kdump_var_lib_t
>     
>     The kexec-tools usually create initramfs-KERNELVERSIONkdump.img in /boot.
>     On some operating systems, the /boot directory can be read-only,
>     preventing the image file from being created. In newer kexec-tools
>     package versions, the image files are created in /var/lib/kdump
>     in case /boot is read-only.
>     
>     The kdump_manage_lib_files() interface was created and rpm_script_t
>     allowed to manage /var/lib/kdump files. This is needed when the
>     /lib/kernel/install.d/60-kdump.install kernel install hook is triggered
>     to delete unused images.
>     
>     Resolves: rhbz#1951323

Hello Zdenek,

Since the bug blocks bz1918499, which may be delayed for DTM, could you please backport the patch and resolve this bug?
Thank you very much!

Thanks,
Tao Liu
Comment 4 Zdenek Pytela 2021-06-11 09:12:47 UTC 
> Since the bug blocks bz1918499, which may be delayed for DTM, could you
> please backport the patch and resolve this bug?
Should be in the next build.
Comment 5 Kelvin Fan 2021-06-14 14:08:50 UTC 
*** Bug 1961728 has been marked as a duplicate of this bug. ***
Comment 8 Zdenek Pytela 2021-06-16 09:40:16 UTC 
I am afraid one more commit is needed:
https://github.com/fedora-selinux/selinux-policy/pull/782
Comment 23 errata-xmlrpc 2021-11-09 19:43:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420
Note You need to log in before you can comment on or make changes to this bug.