1422634 – selinux prevents kernel modules from loading

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1422634 - selinux prevents kernel modules from loading

Summary: selinux prevents kernel modules from loading

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedBlocker
Depends On:
Blocks:	ARMTracker F26AlphaBlocker
TreeView+	depends on / blocked

Reported:	2017-02-15 18:06 UTC by Paul Whalen
Modified:	2017-03-14 01:40 UTC (History)
CC List:	13 users (show)
Fixed In Version:	selinux-policy-3.13.1-244.fc26
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-14 01:40:05 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Rawhide-20170222.n.0 AVC (deleted) 2017-02-22 15:37 UTC, Paul Whalen	no flags	Details
Rawhide-20170222.n.0 journalctl (deleted) 2017-02-22 15:40 UTC, Paul Whalen	no flags	Details
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log (deleted) 2017-02-27 18:20 UTC, Paul Whalen	no flags	Details
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl (deleted) 2017-02-27 18:22 UTC, Paul Whalen	no flags	Details
View All

Description Paul Whalen 2017-02-15 18:06:53 UTC

Description of problem:
selinux prevents kernel modules from loading during boot, attempts to manually load modules also fail with permission denied.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-239.fc26.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Install (using Fedora-Rawhide-20170214.n.0) or upgrade existing system. Reboot

Actual results:
On aarch64 system drops to emergency shell. Attempting to load the vfat driver manually:

[root@localhost ~]# mount -a
mount: unknown filesystem type 'vfat'
[root@localhost ~]# modprobe vfat
modprobe: ERROR: could not insert 'vfat': Permission denied
[root@localhost ~]# setenforce 0
[root@localhost ~]# modprobe vfat


Expected results:
Booted system with login prompt. 


Additional info:

AVCs during boot:
[   12.776721] audit: type=1400 audit(1487177451.340:97): avc:  denied  { module_load } for  pid=605 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/pps/pps_core.ko" dev="dm-0" ino=2490776 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.807757] audit: type=1400 audit(1487177451.340:96): avc:  denied  { module_load } for  pid=608 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/pps/pps_core.ko" dev="dm-0" ino=2490776 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.838800] audit: type=1300 audit(1487177451.340:97): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   12.871215] audit: type=1300 audit(1487177451.340:96): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   12.903623] audit: type=1327 audit(1487177451.340:96): proctitle="/usr/lib/systemd/systemd-udevd"
[   12.912498] audit: type=1327 audit(1487177451.340:97): proctitle="/usr/lib/systemd/systemd-udevd"
[   12.921376] audit: type=1400 audit(1487177451.340:98): avc:  denied  { module_load } for  pid=591 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/spi/spi-pl022.ko" dev="dm-0" ino=2490947 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.952481] audit: type=1400 audit(1487177451.340:99): avc:  denied  { module_load } for  pid=593 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/spi/spi-pl022.ko" dev="dm-0" ino=2490947 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.983589] audit: type=1300 audit(1487177451.340:98): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=591 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   13.015998] audit: type=1300 audit(1487177451.340:99): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

AVC's when attempting modprobe:

type=AVC msg=audit(1487177543.990:126): avc:  denied  { module_load } for  pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177551.520:127): avc:  denied  { module_load } for  pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177559.600:129): avc:  denied  { module_load } for  pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1

Comment 1 Paul Whalen 2017-02-21 15:05:32 UTC

Upgrading to selinux-policy-3.13.1-240.fc26, the system is no longer dropping to an emergency shell, but still fails to load some modules and thus no network on the booted system. AVC's below:

Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/mtd/chips/chipreg.ko" dev="dm-0" ino=135512 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/net/virtio_net.ko" dev="dm-0" ino=133714 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0

Comment 2 Peter Robinson 2017-02-21 17:23:12 UTC

Seeing this across aarch64 and ARMv7 across a number of devices.

Comment 3 Paul Whalen 2017-02-22 15:37:45 UTC

Created attachment 1256505 [details]
Rawhide-20170222.n.0 AVC

Comment 4 Paul Whalen 2017-02-22 15:40:14 UTC

Created attachment 1256506 [details]
Rawhide-20170222.n.0 journalctl

Attached avcs and journalctl from Fedora-Minimal-armhfp-Rawhide-20170222.n.0 boot on the wandboard with selinux-policy-3.13.1-241.fc26.noarch.

Comment 5 Paul Whalen 2017-02-22 15:47:24 UTC

Proposing as an Alpha Blocker, without kernel modules many of the system services fail, including network. Citing criteria 'The installed system must be able to download and install updates with the default console package manager.'

Comment 6 Paul Whalen 2017-02-27 18:19:29 UTC

Booting Fedora-Minimal-armhfp-Rawhide-20170226.n.0:

..
[  OK  ] Reached target Switch Root.
         Starting Switch Root...
[   43.241717] systemd-journald[170]: Received SIGTERM from PID 1 (systemd).
[   45.331480] systemd: 16 output lines suppressed due to ratelimiting
[   47.320421] SELinux:  Class sctp_socket not defined in policy.
[   47.326945] SELinux:  Class icmp_socket not defined in policy.
[   47.333148] SELinux:  Class ax25_socket not defined in policy.
[   47.339337] SELinux:  Class ipx_socket not defined in policy.
[   47.345434] SELinux:  Class netrom_socket not defined in policy.
[   47.351799] SELinux:  Class atmpvc_socket not defined in policy.
[   47.358163] SELinux:  Class x25_socket not defined in policy.
[   47.364254] SELinux:  Class rose_socket not defined in policy.
[   47.370435] SELinux:  Class decnet_socket not defined in policy.
[   47.376797] SELinux:  Class atmsvc_socket not defined in policy.
[   47.383160] SELinux:  Class rds_socket not defined in policy.
[   47.389250] SELinux:  Class irda_socket not defined in policy.
[   47.395431] SELinux:  Class pppox_socket not defined in policy.
[   47.401704] SELinux:  Class llc_socket not defined in policy.
[   47.407793] SELinux:  Class can_socket not defined in policy.
[   47.414167] SELinux:  Class tipc_socket not defined in policy.
[   47.420380] SELinux:  Class bluetooth_socket not defined in policy.
[   47.427023] SELinux:  Class iucv_socket not defined in policy.
[   47.433206] SELinux:  Class rxrpc_socket not defined in policy.
[   47.439479] SELinux:  Class isdn_socket not defined in policy.
[   47.445660] SELinux:  Class phonet_socket not defined in policy.
[   47.452022] SELinux:  Class ieee802154_socket not defined in policy.
[   47.458749] SELinux:  Class caif_socket not defined in policy.
[   47.464930] SELinux:  Class alg_socket not defined in policy.
[   47.471019] SELinux:  Class nfc_socket not defined in policy.
[   47.477109] SELinux:  Class vsock_socket not defined in policy.
[   47.483380] SELinux:  Class kcm_socket not defined in policy.
[   47.489469] SELinux:  Class qipcrtr_socket not defined in policy.
[   47.495923] SELinux:  Class smc_socket not defined in policy.
[   47.502017] SELinux: the above unknown classes and permissions will be allowed
[   47.728502] kauditd_printk_skb: 57 callbacks suppressed
[   47.734283] audit: type=1403 audit(1478193440.225:51): policy loaded auid=4294967295 ses=4294967295
[   47.786587] systemd[1]: Successfully loaded SELinux policy in 2.189002s.
[   48.645206] systemd[1]: Relabelled /dev and /run in 655.580ms.
..

Comment 7 Paul Whalen 2017-02-27 18:20:43 UTC

Created attachment 1258178 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log

Comment 8 Paul Whalen 2017-02-27 18:22:59 UTC

Created attachment 1258180 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl

Comment 9 Geoffrey Marr 2017-02-27 19:01:47 UTC

Discussed during the 2017-02-27 blocker review meeting: [1]

The decision to classify this bug as an accepted blocker was made as it violates the following Alpha-blocker criteria:

"The installed system must be able to download and install updates with the default console package manager."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-27/f26-blocker-review.2017-02-27-17.00.txt

Comment 10 Fedora End Of Life 2017-02-28 11:18:37 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 11 Adam Williamson 2017-03-06 18:01:41 UTC

This is expected to be addressed in the next selinux-policy build, but builds have been failing. Adjusting status to MODIFIED to reflect this.

Comment 12 Adam Williamson 2017-03-09 17:21:20 UTC

SELinux folks, can you please get a build done and an update submitted? We are now one week from Alpha go/no-go. Thanks!

Comment 13 Peter Robinson 2017-03-09 17:26:47 UTC

FYI I just fixed the selinux-policy-3.13.1-244.fc26 build and it's building now, I was planning on submitting it once it was complete so we can at least begin the process to verify that build.

Comment 14 Adam Williamson 2017-03-09 23:22:51 UTC

It failed.
https://koji.fedoraproject.org/koji/taskinfo?taskID=18287440

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
libsepol.expand_terule_helper: conflicting TE rule for (abrt_t, exim_exec_t:process):  old was system_mail_t, new is sendmail_t
libsepol.expand_module: Error during expand
/usr/bin/semodule_expand:  Error while expanding policy
make: *** [Rules.modular:203: validate] Error 1

Comment 15 Peter Robinson 2017-03-10 09:23:38 UTC

Yep, I fixed two other issues and it builds with 'fedpkg local' now but fails in koji.

Comment 16 Lukas Vrabec 2017-03-10 12:00:31 UTC

Sorry guys I was busy these days. Thank you Peter for help on broken builds. I fixed F26 build and it's right now in koji. 

Also rules related to module_load looks fixed: 

# cat avc
type=AVC msg=audit(1487177543.990:126): avc:  denied  { module_load } for  pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177551.520:127): avc:  denied  { module_load } for  pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177559.600:129): avc:  denied  { module_load } for  pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1

# audit2allow -i avc 


#============= insmod_t ==============

#!!!! This avc is allowed in the current policy
allow insmod_t modules_object_t:system module_load;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t modules_object_t:system module_load;

# sesearch -A -s udev_t -t modules_object_t | grep module_load
   allow can_load_kernmodule modules_object_t : system module_load ;

Comment 17 Fedora Update System 2017-03-10 12:10:56 UTC

selinux-policy-3.13.1-244.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

Comment 18 Fedora Update System 2017-03-11 00:22:07 UTC

selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

Comment 19 Fedora Update System 2017-03-14 01:40:05 UTC

selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.