Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1422634
Summary: | selinux prevents kernel modules from loading | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Paul Whalen <pwhalen> | ||||||||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||
Severity: | unspecified | Docs Contact: | |||||||||||
Priority: | unspecified | ||||||||||||
Version: | 26 | CC: | awilliam, benj, dominick.grift, dwalsh, gmarr, lvrabec, mgrepl, pbrobinson, plautrba, pmoore, renault, robatino, ssekidde | ||||||||||
Target Milestone: | --- | ||||||||||||
Target Release: | --- | ||||||||||||
Hardware: | Unspecified | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | AcceptedBlocker | ||||||||||||
Fixed In Version: | selinux-policy-3.13.1-244.fc26 | Doc Type: | If docs needed, set a value | ||||||||||
Doc Text: | Story Points: | --- | |||||||||||
Clone Of: | Environment: | ||||||||||||
Last Closed: | 2017-03-14 01:40:05 UTC | Type: | Bug | ||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||
Documentation: | --- | CRM: | |||||||||||
Verified Versions: | Category: | --- | |||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||
Embargoed: | |||||||||||||
Bug Depends On: | |||||||||||||
Bug Blocks: | 245418, 1349184 | ||||||||||||
Attachments: |
|
Description
Paul Whalen
2017-02-15 18:06:53 UTC
Upgrading to selinux-policy-3.13.1-240.fc26, the system is no longer dropping to an emergency shell, but still fails to load some modules and thus no network on the booted system. AVC's below: Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc: denied { module_load } for pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/mtd/chips/chipreg.ko" dev="dm-0" ino=135512 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0 Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc: denied { module_load } for pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/net/virtio_net.ko" dev="dm-0" ino=133714 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0 Seeing this across aarch64 and ARMv7 across a number of devices. Created attachment 1256505 [details]
Rawhide-20170222.n.0 AVC
Created attachment 1256506 [details]
Rawhide-20170222.n.0 journalctl
Attached avcs and journalctl from Fedora-Minimal-armhfp-Rawhide-20170222.n.0 boot on the wandboard with selinux-policy-3.13.1-241.fc26.noarch.
Proposing as an Alpha Blocker, without kernel modules many of the system services fail, including network. Citing criteria 'The installed system must be able to download and install updates with the default console package manager.' Booting Fedora-Minimal-armhfp-Rawhide-20170226.n.0: .. [ OK ] Reached target Switch Root. Starting Switch Root... [ 43.241717] systemd-journald[170]: Received SIGTERM from PID 1 (systemd). [ 45.331480] systemd: 16 output lines suppressed due to ratelimiting [ 47.320421] SELinux: Class sctp_socket not defined in policy. [ 47.326945] SELinux: Class icmp_socket not defined in policy. [ 47.333148] SELinux: Class ax25_socket not defined in policy. [ 47.339337] SELinux: Class ipx_socket not defined in policy. [ 47.345434] SELinux: Class netrom_socket not defined in policy. [ 47.351799] SELinux: Class atmpvc_socket not defined in policy. [ 47.358163] SELinux: Class x25_socket not defined in policy. [ 47.364254] SELinux: Class rose_socket not defined in policy. [ 47.370435] SELinux: Class decnet_socket not defined in policy. [ 47.376797] SELinux: Class atmsvc_socket not defined in policy. [ 47.383160] SELinux: Class rds_socket not defined in policy. [ 47.389250] SELinux: Class irda_socket not defined in policy. [ 47.395431] SELinux: Class pppox_socket not defined in policy. [ 47.401704] SELinux: Class llc_socket not defined in policy. [ 47.407793] SELinux: Class can_socket not defined in policy. [ 47.414167] SELinux: Class tipc_socket not defined in policy. [ 47.420380] SELinux: Class bluetooth_socket not defined in policy. [ 47.427023] SELinux: Class iucv_socket not defined in policy. [ 47.433206] SELinux: Class rxrpc_socket not defined in policy. [ 47.439479] SELinux: Class isdn_socket not defined in policy. [ 47.445660] SELinux: Class phonet_socket not defined in policy. [ 47.452022] SELinux: Class ieee802154_socket not defined in policy. [ 47.458749] SELinux: Class caif_socket not defined in policy. [ 47.464930] SELinux: Class alg_socket not defined in policy. [ 47.471019] SELinux: Class nfc_socket not defined in policy. [ 47.477109] SELinux: Class vsock_socket not defined in policy. [ 47.483380] SELinux: Class kcm_socket not defined in policy. [ 47.489469] SELinux: Class qipcrtr_socket not defined in policy. [ 47.495923] SELinux: Class smc_socket not defined in policy. [ 47.502017] SELinux: the above unknown classes and permissions will be allowed [ 47.728502] kauditd_printk_skb: 57 callbacks suppressed [ 47.734283] audit: type=1403 audit(1478193440.225:51): policy loaded auid=4294967295 ses=4294967295 [ 47.786587] systemd[1]: Successfully loaded SELinux policy in 2.189002s. [ 48.645206] systemd[1]: Relabelled /dev and /run in 655.580ms. .. Created attachment 1258178 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log
Created attachment 1258180 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl
Discussed during the 2017-02-27 blocker review meeting: [1] The decision to classify this bug as an accepted blocker was made as it violates the following Alpha-blocker criteria: "The installed system must be able to download and install updates with the default console package manager." [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-27/f26-blocker-review.2017-02-27-17.00.txt This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'. This is expected to be addressed in the next selinux-policy build, but builds have been failing. Adjusting status to MODIFIED to reflect this. SELinux folks, can you please get a build done and an update submitted? We are now one week from Alpha go/no-go. Thanks! FYI I just fixed the selinux-policy-3.13.1-244.fc26 build and it's building now, I was planning on submitting it once it was complete so we can at least begin the process to verify that build. It failed. https://koji.fedoraproject.org/koji/taskinfo?taskID=18287440 /usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin libsepol.expand_terule_helper: conflicting TE rule for (abrt_t, exim_exec_t:process): old was system_mail_t, new is sendmail_t libsepol.expand_module: Error during expand /usr/bin/semodule_expand: Error while expanding policy make: *** [Rules.modular:203: validate] Error 1 Yep, I fixed two other issues and it builds with 'fedpkg local' now but fails in koji. Sorry guys I was busy these days. Thank you Peter for help on broken builds. I fixed F26 build and it's right now in koji. Also rules related to module_load looks fixed: # cat avc type=AVC msg=audit(1487177543.990:126): avc: denied { module_load } for pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0 type=AVC msg=audit(1487177551.520:127): avc: denied { module_load } for pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0 type=AVC msg=audit(1487177559.600:129): avc: denied { module_load } for pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1 # audit2allow -i avc #============= insmod_t ============== #!!!! This avc is allowed in the current policy allow insmod_t modules_object_t:system module_load; #============= unconfined_t ============== #!!!! This avc is allowed in the current policy allow unconfined_t modules_object_t:system module_load; # sesearch -A -s udev_t -t modules_object_t | grep module_load allow can_load_kernmodule modules_object_t : system module_load ; selinux-policy-3.13.1-244.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92 selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92 selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. |