Bug 618329 - Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/*
Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/*
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy (Show other bugs)
6.0
All Linux
low Severity urgent
: rc
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks: 593109 621261
  Show dependency treegraph
 
Reported: 2010-07-26 13:02 EDT by Neil Horman
Modified: 2012-10-15 10:32 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.7.19-35.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-11-10 16:35:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
log file audit.log (1.39 KB, application/x-gzip)
2010-07-27 10:53 EDT, Takao Indoh
no flags Details
log file2 audit.log (136.71 KB, application/x-gzip)
2010-07-27 16:46 EDT, Takao Indoh
no flags Details

  None (edit)
Description Neil Horman 2010-07-26 13:02:09 EDT
Description of problem:
kexec tools, when booting on efi enabled sytems needs to clone the efi data that the bios passed to the first kernel so the second kernel boots properly.  It obtains this information out of /sys/kernel/debug/boot_params/data which is the debugfs filesystem.  selinux policy currently deines kexec's ability to do this.  We need to change the policy to allow it.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.enable selinux on a EFI based x86 system
2.start kdump servcie
3.
  
Actual results:
kdump startup fails due do an AVC deinal when trying to open the referenced file

Expected results:
successful startup.

Additional info:
Comment 2 RHEL Product and Program Management 2010-07-26 13:37:48 EDT
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 3 Neil Horman 2010-07-26 15:12:10 EDT
setting blocker flags on this, as it blocks an already approved blocker
Comment 4 Daniel Walsh 2010-07-26 16:56:57 EDT
I need avc data from /var/log/audit/audit.log
Comment 5 Neil Horman 2010-07-27 08:18:28 EDT
indoh-san, can you please provide the avc messages you got when you ran into this issue during your testing?
Comment 6 Takao Indoh 2010-07-27 10:53:07 EDT
Created attachment 434714 [details]
log file audit.log
Comment 7 Daniel Walsh 2010-07-27 11:47:55 EDT
indoh-san can you execute 

# semodule -DB
To turn off the dontaudit messages
# semanage permissive -a kdump_t
To turn kdump_t into a permissive domain
Then generate the error.
Gather the AVC's 
# semanage permissive -d kdump_t
# semodule -B

Miroslav I think we will need

kernel_read_debugfs(kdump_t)
Comment 8 Takao Indoh 2010-07-27 12:11:44 EDT
> # semodule -DB
> To turn off the dontaudit messages
> # semanage permissive -a kdump_t

[root@pq3-1 ~]# semanage permissive -a kdump_t
-bash: semanage: command not found

What package do I need to install to run semanage?
Comment 9 Takao Indoh 2010-07-27 16:46:45 EDT
Created attachment 434841 [details]
log file2 audit.log

Ok, here is the result.

[root@pq3-2 ~]# service kdump restart
Stopping kdump:                                            [  OK  ]
UNABLE TO GATHER EFI DATA                                  [警告]
Starting kdump:                                            [  OK  ]
[root@pq3-2 ~]# semodule -DB
[root@pq3-2 ~]# semanage permissive -a kdump_t
[root@pq3-2 ~]# service kdump restart
Stopping kdump:                                            [  OK  ]
GATHERING EFI DATA                                         [警告]
Starting kdump:                                            [  OK  ]
[root@pq3-2 ~]# semanage permissive -d kdump_t
[root@pq3-2 ~]# semodule -B
Comment 10 Miroslav Grepl 2010-08-02 11:26:54 EDT
Fixed in selinux-policy-3.7.19-35.el6.noarch.
Comment 12 Milos Malik 2010-08-11 05:22:15 EDT
# rpm -q selinux-policy
selinux-policy-3.7.19-35.el6.noarch

I'm still seeing these AVCs on EFI enabled machine:

----
time->Wed Aug 11 05:18:46 2010
type=SYSCALL msg=audit(1281518326.459:58453): arch=40000003 syscall=5 success=yes exit=3 a0=8059134 a1=0 a2=bfeb9bec a3=9b2c5e0 items=0 ppid=7741 pid=7797 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec" subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281518326.459:58453): avc:  denied  { open } for  pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281518326.459:58453): avc:  denied  { read } for  pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
----
Comment 14 Miroslav Grepl 2010-08-11 05:39:40 EDT
You are right. I am fixing it. Thanks.
Comment 15 Milos Malik 2010-08-11 05:41:43 EDT
After "semodule -DB" the number of AVCs increased to 3:

----
time->Wed Aug 11 05:35:45 2010
type=SYSCALL msg=audit(1281519345.511:58476): arch=40000003 syscall=5
success=yes exit=3 a0=8059134 a1=0 a2=bfaf32cc a3=8a175e0 items=0 ppid=8380
pid=8436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec"
subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { open } for  pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { read } for  pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { search } for 
pid=8436 comm="kexec" name="/" dev=debugfs ino=1
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
----
Comment 16 Miroslav Grepl 2010-08-11 11:02:27 EDT
Fixed in selinux-policy-3.7.19-38.el6.noarch
Comment 19 releng-rhel@redhat.com 2010-11-10 16:35:34 EST
Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.