Bug 833242 - 'ldconfig -r' permission denied in kdump.service
'ldconfig -r' permission denied in kdump.service
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
: 833243 (view as bug list)
Depends On:
Blocks: RHEL7KdumpTracker
  Show dependency treegraph
 
Reported: 2012-06-18 22:07 EDT by Dave Young
Modified: 2012-06-30 17:52 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-30 17:52:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dave Young 2012-06-18 22:07:05 EDT
I guess this related to selinux policy, please help to take a look:

kdump.service 1st time startup will fail with below info
Jun 12 23:28:39 localhost kdumpctl[548]: + ldconfig -r
/var/tmp/initramfs.Lk6NT4
Jun 12 23:28:39 localhost kdumpctl[548]: ldconfig: Can't create
temporary cache file /etc/ld.so.cache~: Permission denied


dracut ran cmd like: 'ldconfig -r /var/tmp/foo' in kdump.service

I'm seeing below selinux audit log:

type=AVC msg=audit(1340070736.339:41): avc:  denied  { read } for  pid=4493 comm="ldconfig" name="lib64" dev="dm-1" ino=2684 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=AVC msg=audit(1340070736.339:42): avc:  denied  { write } for  pid=4493 comm="ldconfig" name="etc" dev="dm-1" ino=2681 scontext=system_u:system_r:ldconfig_t:s0 tcontext=system_u:object_r:initrc_tmp_t:s0 tclass=dir
type=SERVICE_START msg=audit(1340070736.748:43): pid=0 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="kdump" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Comment 1 Miroslav Grepl 2012-06-19 04:08:38 EDT
*** Bug 833243 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2012-06-19 04:48:25 EDT
So if I understand correctly, there is the /var/tmp/initramfs* dir which is used as root directory created as initrc_tmp_t and this directory is used by ldconfig, depmod, right?
Comment 3 Dave Young 2012-06-19 05:15:13 EDT
(In reply to comment #2)
> So if I understand correctly, there is the /var/tmp/initramfs* dir which is
> used as root directory created as initrc_tmp_t and this directory is used by
> ldconfig, depmod, right?

Yes, dracut create temp dir under /var/tmp, install files into it and run ldconfig -r, then create the cpio archive..

I have no knowledge about selinux, so not sure about initrc_tmp_t.
Comment 4 Miroslav Grepl 2012-06-19 06:55:55 EDT
Ok, I am now playing with

# chcon -t kdump_exec_t /usr/bin/kdumpctl

It requires new transitions from kdump to other domains (we have a way how to do it) and I am able to get

allow ldconfig_t kdump_tmp_t:dir { read write add_name remove_name };
allow ldconfig_t kdump_tmp_t:file { rename write getattr setattr read create open };
allow ldconfig_t kdump_tmp_t:lnk_file read;
Comment 5 Miroslav Grepl 2012-06-19 08:27:14 EDT
Well dracut wants to add lot of accesses but I think they are ok for kdump_t policy.

But also we could start to think about dracut policy  for these cases.
Comment 6 Daniel Walsh 2012-06-19 10:16:16 EDT
I would get rid of the transition to ldconfig, this domain only exists to make sure /etc/ld.so.cache file is labeled correctly.
Comment 7 Miroslav Grepl 2012-06-19 16:52:28 EDT
Well this is about /var/tmp/initramfs* directory which is created by kdumpctl (labeled as bin_t) from the kdump.service unit file.

ExecStart=/usr/bin/kdumpctl start

All files/dirs are created there and ldconfig_t/insmod_t needs to manage /var/tmp/initramfs*. 

So my idea is the kdump_exec_t label for kdumpctl  => it will run as kdump_t and I could make kdump_t as initrc domain and could control which domains will able to use /var/tmp/initramfs* which could get kdump_tmp_t label.
Comment 8 Miroslav Grepl 2012-06-20 03:38:50 EDT
Could you please test it with

http://koji.fedoraproject.org/koji/taskinfo?taskID=4179182

after install please execute

# chcon -t kdump_exec_t /usr/bin/kdumpctl

and try to re-test it. Thanks.
Comment 9 Dave Young 2012-06-20 04:11:05 EDT
(In reply to comment #8)
> Could you please test it with
> 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=4179182
> 
> after install please execute
> 
> # chcon -t kdump_exec_t /usr/bin/kdumpctl
> 
> and try to re-test it. Thanks.


Hi, there's new avc deny, see below info:

SELinux is preventing /usr/bin/bash from execute access on the file udevadm.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed execute access on the udevadm file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep dracut /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:kdump_tmp_t:s0
Target Objects                udevadm [ file ]
Source                        dracut
Source Path                   /usr/bin/bash
Port                          <Unknown>
Host                          darkstar.nay.redhat.com
Source RPM Packages           bash-4.2.24-2.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     darkstar.nay.redhat.com
Platform                      Linux darkstar.nay.redhat.com 3.3.4-5.fc17.x86_64
                              #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
Alert Count                   4
First Seen                    Wed 20 Jun 2012 04:02:38 PM CST
Last Seen                     Wed 20 Jun 2012 04:02:38 PM CST
Local ID                      52c97a48-d4c7-4584-af4f-429e3c5146ce

Raw Audit Messages
type=AVC msg=audit(1340179358.994:141): avc:  denied  { execute } for  pid=1844 comm="dracut" name="udevadm" dev="sda3" ino=404905 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:kdump_tmp_t:s0 tclass=file


type=SYSCALL msg=audit(1340179358.994:141): arch=x86_64 syscall=faccessat success=no exit=EACCES a0=ffffffffffffff9c a1=b0c430 a2=1 a3=2b items=0 ppid=1478 pid=1844 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=dracut exe=/usr/bin/bash subj=system_u:system_r:kdump_t:s0 key=(null)

Hash: dracut,kdump_t,kdump_tmp_t,file,execute

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 10 Miroslav Grepl 2012-06-20 04:15:27 EDT
Could you test it in permissive mode?

# setenforce 0
Comment 11 Dave Young 2012-06-20 04:54:16 EDT
(In reply to comment #10)
> Could you test it in permissive mode?
> 
> # setenforce 0

the service startup ok with permissive mode
Comment 12 Miroslav Grepl 2012-06-20 05:03:30 EDT
and what avc msgs are you getting?
Comment 13 Dave Young 2012-06-20 05:16:39 EDT
See below, not sure if it's what you want:

SELinux is preventing /usr/bin/rm from unlink access on the chr_file null.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that rm should be allowed unlink access on the null chr_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep rm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:object_r:null_device_t:s0
Target Objects                null [ chr_file ]
Source                        rm
Source Path                   /usr/bin/rm
Port                          <Unknown>
Host                          darkstar.nay.redhat.com
Source RPM Packages           coreutils-8.15-6.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-132.fc17.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     darkstar.nay.redhat.com
Platform                      Linux darkstar.nay.redhat.com 3.3.4-5.fc17.x86_64
                              #1 SMP Mon May 7 17:29:34 UTC 2012 x86_64 x86_64
Alert Count                   2
First Seen                    Wed 20 Jun 2012 04:50:15 PM CST
Last Seen                     Wed 20 Jun 2012 05:11:59 PM CST
Local ID                      c68ddcd7-31c9-4265-a81f-632d92ca597f

Raw Audit Messages
type=AVC msg=audit(1340183519.652:308): avc:  denied  { unlink } for  pid=17448 comm="rm" name="null" dev="sda3" ino=404598 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:null_device_t:s0 tclass=chr_file


type=SYSCALL msg=audit(1340183519.652:308): arch=x86_64 syscall=unlinkat success=yes exit=0 a0=5 a1=14989e8 a2=0 a3=114 items=0 ppid=13940 pid=17448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rm exe=/usr/bin/rm subj=system_u:system_r:kdump_t:s0 key=(null)

Hash: rm,kdump_t,null_device_t,chr_file,unlink

audit2allowunable to open /sys/fs/selinux/policy:  Permission denied


audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
Comment 14 Miroslav Grepl 2012-06-21 06:39:55 EDT
Ok, I think I have a solution.

Could you test it with

http://koji.fedoraproject.org/koji/taskinfo?taskID=4183110
Comment 15 Dave Young 2012-06-25 01:57:35 EDT
(In reply to comment #14)
> Ok, I think I have a solution.
> 
> Could you test it with
> 
> http://koji.fedoraproject.org/koji/taskinfo?taskID=4183110

With this build systemd service startup ok for me. Great work, thanks!
Comment 16 Daniel Walsh 2012-06-26 06:39:00 EDT
Fixed in selinux-policy-3.10.0-132.fc17
Comment 17 Fedora Update System 2012-06-26 17:48:21 EDT
selinux-policy-3.10.0-134.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-134.fc17
Comment 18 Fedora Update System 2012-06-27 23:38:33 EDT
Package selinux-policy-3.10.0-134.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-134.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10008/selinux-policy-3.10.0-134.fc17
then log in and leave karma (feedback).
Comment 19 Fedora Update System 2012-06-30 17:52:08 EDT
selinux-policy-3.10.0-134.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.