Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1357949
Summary: | SELinux is preventing kexec from using the 'sys_admin' capabilities. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Juan Orti <jorti> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 24 | CC: | bugzilla, dominick.grift, dwalsh, hkario, kdump-team-bugs, lvrabec, mgrepl, oliver.henshaw, plautrba, ruyang |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:f0287f4f154edfc849418636e509482c5d36807ef6355de0c990d58dbbde39ff;VARIANT_ID=workstation; | ||
Fixed In Version: | selinux-policy-3.13.1-191.16.fc24 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-09-22 00:23:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Juan Orti
2016-07-19 16:16:44 UTC
Description of problem: normal system startup, though it's a system I have upgraded since Fedora 18, so there may be some leftovers Version-Release number of selected component: selinux-policy-3.13.1-158.15.fc23.noarch Additional info: reporter: libreport-2.7.1 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 reproducible: Not sure how to reproduce the problem type: libreport Description of problem: systemctl start kdump.service Version-Release number of selected component: selinux-policy-3.13.1-191.5.fc24.noarch Additional info: reporter: libreport-2.7.2 hashmarkername: setroubleshoot kernel: 4.6.4-301.fc24.x86_64 type: libreport Also on F23. Seems like a regression though I don't know what changed to cause it, kexec-tools hasn't been updated since upgrading to F23. Maybe a kernel update? selinux-policy-targeted-3.13.1-158.21.fc23.noarch kexec-tools-2.0.10-10.fc23.x86_64 kernel-4.6.4-201.fc23.x86_64 (MAYBE GOOD?) kernel-4.6.6-200.fc23.x86_64 kernel-4.5.7-202.fc23.x86_64 GOOD kernel-4.6.4-201.fc23.x86_64 BAD Checked old "journal -b" and confirmed by booting into kernel-4.5.7-202.fc23.x86_64. So it's likely some kernel change that is causing kexec to hit an SElinux denial. Any ideas? Hi, One possible commit is in 4.6.0 /proc/iomem can only be read by process with CAP_SYS_ADMIN, so for non-root users they can not see it. Linus said no need worry about fine grained capabilities, that means kexec run as root so it should be ok. Upstream commit: commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4 Author: Linus Torvalds <torvalds> Date: Thu Apr 14 12:05:37 2016 -0700 /proc/iomem: only expose physical resource addresses to privileged users In commit c4004b02f8e5b ("x86: remove the kernel code/data/bss resources from /proc/iomem") I was hoping to remove the phyiscal kernel address data from /proc/iomem entirely, but that had to be reverted because some system programs actually use it. This limits all the detailed resource information to properly credentialed users instead. Signed-off-by: Linus Torvalds <torvalds> Thanks Dave Looks like we should just add a dontaudit rules. Or does kdump actually need to read this? Daniel, do you means kexec run with root still lacks SYS_ADMIN capabilities? If so add a rule should be necessary because kexec-tools depend on reading /proc/iomem in its source code. Ok if it depends on that then it needs sys_admin so we need to add the rule. *** Bug 1372796 has been marked as a duplicate of this bug. *** selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6 selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6 selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. |