Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1697632
Summary: | fuse-overlayfs causes systemd-modules-load service to fail | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jason Montleon <jmontleo> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 30 | CC: | dwalsh, fkluknav, gscrivan, lsm5, lvrabec, mgrepl, plautrba, zpytela |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.3-29.fc30 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-04-13 00:05:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jason Montleon
2019-04-08 21:05:12 UTC
Dan, should we drop the patch for loading the fuse module? Is the fuse module always loaded? Has the fuse module been renamed? The module is still called fuse. $ lsmod | grep fuse fuse 131072 7 looks like a selinux issue: type=AVC msg=audit(1554819688.831:386): avc: denied { read } for pid=3180 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=788279 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Jason, could you try again with selinux disabled? Yes, good catch, booting in permissive it works. I see these: type=AVC msg=audit(1554755106.391:397): avc: denied { read } for pid=4830 comm="systemd-modules" name="modules.softdep" dev="dm-1" ino=539027258 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1554755106.391:398): avc: denied { read } for pid=4830 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=539027494 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1554755106.391:399): avc: denied { read } for pid=4830 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=539027494 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 type=AVC msg=audit(1554755106.391:400): avc: denied { read } for pid=4830 comm="systemd-modules" name="modules.alias.bin" dev="dm-1" ino=539027257 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0 commit 021823926ae7bff86e92ea8d119d5150c0d89a63 Author: Lukas Vrabec <lvrabec> Date: Tue Apr 9 10:27:54 2019 +0200 Allow systemd_modules_load to read modules_dep_t files selinux-policy-3.14.3-28.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3 selinux-policy-3.14.3-28.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3 selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report. |