1357949 – SELinux is preventing kexec from using the 'sys_admin' capabilities.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1357949 - SELinux is preventing kexec from using the 'sys_admin' capabilities.

Summary: SELinux is preventing kexec from using the 'sys_admin' capabilities.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	24
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:f0287f4f154edfc849418636e50...
Duplicates (1):	1372796 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-19 16:16 UTC by Juan Orti
Modified:	2016-09-22 00:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:	selinux-policy-3.13.1-191.16.fc24
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-09-22 00:23:28 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Juan Orti 2016-07-19 16:16:44 UTC

Description of problem:
SELinux is preventing kexec from using the 'sys_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If cree que kexec debería tener la capacidad sys_admin de forma predeterminada.
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
allow this access for now by executing:
# ausearch -c 'kexec' --raw | audit2allow -M my-kexec
# semodule -X 300 -i my-kexec.pp

Additional Information:
Source Context                system_u:system_r:kdump_t:s0
Target Context                system_u:system_r:kdump_t:s0
Target Objects                Unknown [ capability ]
Source                        kexec
Source Path                   kexec
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-191.5.fc24.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.6.3-300.fc24.x86_64 #1 SMP Fri
                              Jun 24 20:52:41 UTC 2016 x86_64 x86_64
Alert Count                   747
First Seen                    2016-07-19 14:21:11 CEST
Last Seen                     2016-07-19 17:49:29 CEST
Local ID                      8e77b924-91b8-4d19-93ea-870e94f40059

Raw Audit Messages
type=AVC msg=audit(1468943369.762:503): avc:  denied  { sys_admin } for  pid=3161 comm="kexec" capability=21  scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:system_r:kdump_t:s0 tclass=capability permissive=0


Hash: kexec,kdump_t,kdump_t,capability,sys_admin

Version-Release number of selected component:
selinux-policy-3.13.1-191.5.fc24.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.6.3-300.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 1 Hubert Kario 2016-07-21 10:21:26 UTC

Description of problem:
normal system startup, though it's a system I have upgraded since Fedora 18, so there may be some leftovers

Version-Release number of selected component:
selinux-policy-3.13.1-158.15.fc23.noarch

Additional info:
reporter:       libreport-2.7.1
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
reproducible:   Not sure how to reproduce the problem
type:           libreport

Comment 2 Juan Orti 2016-07-26 19:31:19 UTC

Description of problem:
systemctl start kdump.service

Version-Release number of selected component:
selinux-policy-3.13.1-191.5.fc24.noarch

Additional info:
reporter:       libreport-2.7.2
hashmarkername: setroubleshoot
kernel:         4.6.4-301.fc24.x86_64
type:           libreport

Comment 3 Oliver Henshaw 2016-08-22 11:54:31 UTC

Also on F23. Seems like a regression though I don't know what changed to cause it, kexec-tools hasn't been updated since upgrading to F23. Maybe a kernel update?

selinux-policy-targeted-3.13.1-158.21.fc23.noarch
kexec-tools-2.0.10-10.fc23.x86_64
kernel-4.6.4-201.fc23.x86_64 (MAYBE GOOD?)
kernel-4.6.6-200.fc23.x86_64

Comment 4 Oliver Henshaw 2016-08-30 15:10:11 UTC

kernel-4.5.7-202.fc23.x86_64 GOOD
kernel-4.6.4-201.fc23.x86_64 BAD

Checked old "journal -b" and confirmed by booting into kernel-4.5.7-202.fc23.x86_64. So it's likely some kernel change that is causing kexec to hit an SElinux denial. Any ideas?

Comment 5 Dave Young 2016-08-31 01:01:03 UTC

Hi,

One possible commit is in 4.6.0 /proc/iomem can only be read by process with CAP_SYS_ADMIN, so for non-root users they can not see it.

Linus said no need worry about fine grained capabilities, that means kexec run as root so it should be ok.

Upstream commit:

commit 51d7b120418e99d6b3bf8df9eb3cc31e8171dee4
Author: Linus Torvalds <torvalds>
Date:   Thu Apr 14 12:05:37 2016 -0700

    /proc/iomem: only expose physical resource addresses to privileged users
    
    In commit c4004b02f8e5b ("x86: remove the kernel code/data/bss resources
    from /proc/iomem") I was hoping to remove the phyiscal kernel address
    data from /proc/iomem entirely, but that had to be reverted because some
    system programs actually use it.
    
    This limits all the detailed resource information to properly
    credentialed users instead.
    
    Signed-off-by: Linus Torvalds <torvalds>

Thanks
Dave

Comment 6 Daniel Walsh 2016-08-31 11:00:11 UTC

Looks like we should just add a dontaudit rules. Or does kdump actually need to read this?

Comment 7 Dave Young 2016-08-31 23:29:14 UTC

Daniel, do you means kexec run with root still lacks SYS_ADMIN capabilities?  If so add a rule should be necessary because kexec-tools depend on reading /proc/iomem in its source code.

Comment 8 Daniel Walsh 2016-09-01 12:32:21 UTC

Ok if it depends on that then it needs sys_admin so we need to add the rule.

Comment 9 Dave Young 2016-09-05 01:07:49 UTC

*** Bug 1372796 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2016-09-15 17:25:04 UTC

selinux-policy-3.13.1-191.16.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6

Comment 11 Fedora Update System 2016-09-16 00:52:41 UTC

selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-fe39b806b6

Comment 12 Fedora Update System 2016-09-22 00:23:28 UTC

selinux-policy-3.13.1-191.16.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.