Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-14413

selinux: kexec-tools require new rules to enable the access to tmpfs

XMLWordPrintable

    • selinux-policy-38.1.27-1.el9
    • None
    • Urgent
    • sst_security_selinux
    • ssg_security
    • 10
    • None
    • QE ack, Dev ack
    • False
    • Hide

      None

      Show
      None
    • No
    • None
    • Hide

      Restart of the kdump service does not trigger any SELinux denials in default configuration. SELinux policy defines new type and rules for memfd objects created by the kdump service under the /dev/shm directory.

      Show
      Restart of the kdump service does not trigger any SELinux denials in default configuration. SELinux policy defines new type and rules for memfd objects created by the kdump service under the /dev/shm directory.
    • Pass
    • Automated
    • All
    • None

      What were you trying to do that didn't work?

      kexec-tools is upgraded to acquire the ability to load zboot format kernel.

      Please provide the package NVR for which bug is seen:

      How reproducible:

      Steps to reproduce

      1. Get the kexec-tools-2.0.27-1.el9 from https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=2730318
        And install it.

      Running "kexec restart", it will fail to start.
      And the selinux related audit log looks like:
      ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR

      time->Wed Oct 18 22:55:27 2023
      type=PROCTITLE msg=audit(1697684127.171:52): proctitle=2F7362696E2F6B65786563002D73002D64002D70002D2D636F6D6D616E642D6C696E653D424F4F545F494D4147453D286864302C6D73646F7331292F766D6C696E757A2D352E31342E302D3337362E656C392E7838365F363420726F20726573756D653D2F6465762F6D61707065722F7268656C5F68702D2D646C3338306567
      type=SYSCALL msg=audit(1697684127.171:52): arch=c000003e syscall=1 success=no exit=-13 a0=3 a1=7fe863b37010 a2=cc8798 a3=22 items=0 ppid=1150 pid=1633 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
      type=AVC msg=audit(1697684127.171:52): avc: denied

      { write } for pid=1633 comm="kexec" path=2F6D656D66643A6B65726E656C202864656C6574656429 dev="tmpfs" ino=4096 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
      ----
      time->Thu Oct 19 03:32:01 2023
      type=PROCTITLE msg=audit(1697700721.939:52): proctitle=2F7362696E2F6B65786563002D73002D64002D70002D2D636F6D6D616E642D6C696E653D424F4F545F494D4147453D286864302C6D73646F7331292F766D6C696E757A2D352E31342E302D3337362E656C392E7838365F363420726F20726573756D653D2F6465762F6D61707065722F7268656C5F68702D2D646C3338306567
      type=SYSCALL msg=audit(1697700721.939:52): arch=c000003e syscall=1 success=no exit=-13 a0=3 a1=7fbb79d37010 a2=cc8798 a3=22 items=0 ppid=1143 pid=1626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="kexec" exe="/usr/sbin/kexec" subj=system_u:system_r:kdump_t:s0 key=(null)
      type=AVC msg=audit(1697700721.939:52): avc: denied { write }

      for pid=1626 comm="kexec" path=2F6D656D66643A6B65726E656C202864656C6574656429 dev="tmpfs" ino=4096 scontext=system_u:system_r:kdump_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

      Expected results

      "kexec restart" can start that service

      Actual results

            rhn-support-zpytela Zdenek Pytela
            piliu@redhat.com Pingfan Liu
            Nikola Kňažeková Nikola Kňažeková (Inactive)
            Milos Malik Milos Malik
            Votes:
            0 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated:
              Resolved: