618329 – Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/*

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 618329 - Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/*

Summary: Need to allow /sbin/kexec access to /sys/kernel/debug/boot_params/*

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	593109 621261
TreeView+	depends on / blocked

Reported:	2010-07-26 17:02 UTC by Neil Horman
Modified:	2012-10-15 14:32 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.7.19-35.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-10 21:35:34 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
log file audit.log (1.39 KB, application/x-gzip) 2010-07-27 14:53 UTC, Takao Indoh	no flags	Details
log file2 audit.log (136.71 KB, application/x-gzip) 2010-07-27 20:46 UTC, Takao Indoh	no flags	Details
View All

Description Neil Horman 2010-07-26 17:02:09 UTC

Description of problem:
kexec tools, when booting on efi enabled sytems needs to clone the efi data that the bios passed to the first kernel so the second kernel boots properly.  It obtains this information out of /sys/kernel/debug/boot_params/data which is the debugfs filesystem.  selinux policy currently deines kexec's ability to do this.  We need to change the policy to allow it.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.enable selinux on a EFI based x86 system
2.start kdump servcie
3.
  
Actual results:
kdump startup fails due do an AVC deinal when trying to open the referenced file

Expected results:
successful startup.

Additional info:

Comment 2 RHEL Program Management 2010-07-26 17:37:48 UTC

This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **

Comment 3 Neil Horman 2010-07-26 19:12:10 UTC

setting blocker flags on this, as it blocks an already approved blocker

Comment 4 Daniel Walsh 2010-07-26 20:56:57 UTC

I need avc data from /var/log/audit/audit.log

Comment 5 Neil Horman 2010-07-27 12:18:28 UTC

indoh-san, can you please provide the avc messages you got when you ran into this issue during your testing?

Comment 6 Takao Indoh 2010-07-27 14:53:07 UTC

Created attachment 434714 [details]
log file audit.log

Comment 7 Daniel Walsh 2010-07-27 15:47:55 UTC

indoh-san can you execute 

# semodule -DB
To turn off the dontaudit messages
# semanage permissive -a kdump_t
To turn kdump_t into a permissive domain
Then generate the error.
Gather the AVC's 
# semanage permissive -d kdump_t
# semodule -B

Miroslav I think we will need

kernel_read_debugfs(kdump_t)

Comment 8 Takao Indoh 2010-07-27 16:11:44 UTC

> # semodule -DB
> To turn off the dontaudit messages
> # semanage permissive -a kdump_t

[root@pq3-1 ~]# semanage permissive -a kdump_t
-bash: semanage: command not found

What package do I need to install to run semanage?

Comment 9 Takao Indoh 2010-07-27 20:46:45 UTC

Created attachment 434841 [details]
log file2 audit.log

Ok, here is the result.

[root@pq3-2 ~]# service kdump restart
Stopping kdump:                                            [  OK  ]
UNABLE TO GATHER EFI DATA                                  [警告]
Starting kdump:                                            [  OK  ]
[root@pq3-2 ~]# semodule -DB
[root@pq3-2 ~]# semanage permissive -a kdump_t
[root@pq3-2 ~]# service kdump restart
Stopping kdump:                                            [  OK  ]
GATHERING EFI DATA                                         [警告]
Starting kdump:                                            [  OK  ]
[root@pq3-2 ~]# semanage permissive -d kdump_t
[root@pq3-2 ~]# semodule -B

Comment 10 Miroslav Grepl 2010-08-02 15:26:54 UTC

Fixed in selinux-policy-3.7.19-35.el6.noarch.

Comment 12 Milos Malik 2010-08-11 09:22:15 UTC

# rpm -q selinux-policy
selinux-policy-3.7.19-35.el6.noarch

I'm still seeing these AVCs on EFI enabled machine:

----
time->Wed Aug 11 05:18:46 2010
type=SYSCALL msg=audit(1281518326.459:58453): arch=40000003 syscall=5 success=yes exit=3 a0=8059134 a1=0 a2=bfeb9bec a3=9b2c5e0 items=0 ppid=7741 pid=7797 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec" subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281518326.459:58453): avc:  denied  { open } for  pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281518326.459:58453): avc:  denied  { read } for  pid=7797 comm="kexec" name="data" dev=debugfs ino=13 scontext=unconfined_u:system_r:kdump_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file
----

Comment 14 Miroslav Grepl 2010-08-11 09:39:40 UTC

You are right. I am fixing it. Thanks.

Comment 15 Milos Malik 2010-08-11 09:41:43 UTC

After "semodule -DB" the number of AVCs increased to 3:

----
time->Wed Aug 11 05:35:45 2010
type=SYSCALL msg=audit(1281519345.511:58476): arch=40000003 syscall=5
success=yes exit=3 a0=8059134 a1=0 a2=bfaf32cc a3=8a175e0 items=0 ppid=8380
pid=8436 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 ses=2229 comm="kexec" exe="/sbin/kexec"
subj=unconfined_u:system_r:kdump_t:s0 key=(null)
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { open } for  pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { read } for  pid=8436
comm="kexec" name="data" dev=debugfs ino=13
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=file
type=AVC msg=audit(1281519345.511:58476): avc:  denied  { search } for 
pid=8436 comm="kexec" name="/" dev=debugfs ino=1
scontext=unconfined_u:system_r:kdump_t:s0
tcontext=system_u:object_r:debugfs_t:s0 tclass=dir
----

Comment 16 Miroslav Grepl 2010-08-11 15:02:27 UTC

Fixed in selinux-policy-3.7.19-38.el6.noarch

Comment 19 releng-rhel@redhat.com 2010-11-10 21:35:34 UTC

Red Hat Enterprise Linux 6.0 is now available and should resolve
the problem described in this bug report. This report is therefore being closed
with a resolution of CURRENTRELEASE. You may reopen this bug report if the
solution does not work for you.

Note You need to log in before you can comment on or make changes to this bug.