Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1247017

Summary: SELinux is preventing kexec from 'read', 'open' and 'getattr' accesses on /boot/vmlinuz*
Product: [Fedora] Fedora Reporter: Jakub Filak <jfilak>
Component: systemdAssignee: systemd-maint
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: dominick.grift, dwalsh, jberan, johannbg, jsynacek, lnykryn, lvrabec, mgrepl, msekleta, plautrba, ruyang, s, systemd-maint, zbyszek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-10 14:34:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1244057    

Description Jakub Filak 2015-07-27 07:32:20 UTC 
Description of problem:
----
time->Mon Jul 27 09:26:23 2015
type=AVC msg=audit(1437981983.456:676): avc:  denied  { read } for  pid=11271 comm="kexec" name="vmlinuz-4.2.0-0.rc0.git1.1.fc23.x86_64" dev="sda1" ino=20 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
----
time->Mon Jul 27 09:26:23 2015
type=AVC msg=audit(1437981983.456:677): avc:  denied  { open } for  pid=11271 comm="kexec" path="/boot/vmlinuz-4.2.0-0.rc0.git1.1.fc23.x86_64" dev="sda1" ino=20 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1
----
time->Mon Jul 27 09:26:23 2015
type=AVC msg=audit(1437981983.459:678): avc:  denied  { getattr } for  pid=11271 comm="kexec" path="/boot/vmlinuz-4.2.0-0.rc0.git1.1.fc23.x86_64" dev="sda1" ino=20 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=1

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-138.fc24.noarch

How reproducible:
always

Steps to Reproduce:
1. systemctl restart kdump
2.
3.
Comment 1 Dangyi Liu 2015-11-09 06:19:09 UTC 
On Fedora 23 this bug is more severe because kdump cannot start even with bundled kernel.

$ ls -Z /boot/vmlinuz-*
          system_u:object_r:boot_t:s0 /boot/vmlinuz-0-rescue-9e1725064a94497289316879f51a108f
          system_u:object_r:boot_t:s0 /boot/vmlinuz-4.1.7-200.fc22.x86_64
system_u:object_r:modules_object_t:s0 /boot/vmlinuz-4.2.5-300.fc23.x86_64
Comment 2 Dangyi Liu 2015-11-09 08:14:54 UTC 
This bug is caused by that kernel-install didn't handle file context properly after copying bzImage. It has been fixed in http://pkgs.fedoraproject.org/cgit/systemd.git/commit/?id=d4f265678413c7656d78074af12ec7f083b50aac , but hasn't been merged into f23 branch.
Comment 3 Lennart Poettering 2016-02-10 14:34:59 UTC 

*** This bug has been marked as a duplicate of bug 1244057 ***