1697632 – fuse-overlayfs causes systemd-modules-load service to fail

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1697632 - fuse-overlayfs causes systemd-modules-load service to fail

Summary: fuse-overlayfs causes systemd-modules-load service to fail

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-08 21:05 UTC by Jason Montleon
Modified:	2020-05-13 15:50 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.14.3-29.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-13 00:05:28 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jason Montleon 2019-04-08 21:05:12 UTC

Description of problem:
fuse-overlayfs contains /usr/lib/modules-load.d/fuse-overlayfs.conf with the contents 'fuse'. This causes systemd-load-modules to fail with kernel 5.0.6

Version-Release number of selected component (if applicable):
fuse-overlayfs-0.3-8.dev.gita6958ce
kernel-5.0.6-300.fc30.x86_64

How reproducible:
Seems always

Steps to Reproduce:
1. Install Fedora 30
2. Install fuse-overlayfs
3. Reboot

Actual results:
Service fails with an error message to the effect, Failed to lookup alias 'fuse'

Expected results:
systemd-modules-load starts normally

Additional info:
worked around it for now by uninstall fuse-overlayfs

Comment 1 Giuseppe Scrivano 2019-04-09 07:59:37 UTC

Dan, should we drop the patch for loading the fuse module?

Comment 2 Daniel Walsh 2019-04-09 11:25:43 UTC

Is the fuse module always loaded?  Has the fuse module been renamed?

Comment 3 Jason Montleon 2019-04-09 14:07:40 UTC

The module is still called fuse.

$ lsmod | grep fuse
fuse                  131072  7

Comment 4 Giuseppe Scrivano 2019-04-09 14:23:54 UTC

looks like a selinux issue:

type=AVC msg=audit(1554819688.831:386): avc:  denied  { read } for  pid=3180 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=788279 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0


Jason, could you try again with selinux disabled?

Comment 5 Jason Montleon 2019-04-09 15:40:25 UTC

Yes, good catch, booting in permissive it works.

I see these:
type=AVC msg=audit(1554755106.391:397): avc:  denied  { read } for  pid=4830 comm="systemd-modules" name="modules.softdep" dev="dm-1" ino=539027258 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1554755106.391:398): avc:  denied  { read } for  pid=4830 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=539027494 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1554755106.391:399): avc:  denied  { read } for  pid=4830 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=539027494 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
type=AVC msg=audit(1554755106.391:400): avc:  denied  { read } for  pid=4830 comm="systemd-modules" name="modules.alias.bin" dev="dm-1" ino=539027257 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0

Comment 6 Lukas Vrabec 2019-04-10 08:28:16 UTC

commit 021823926ae7bff86e92ea8d119d5150c0d89a63
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 9 10:27:54 2019 +0200

    Allow systemd_modules_load to read modules_dep_t files

Comment 7 Fedora Update System 2019-04-10 12:01:24 UTC

selinux-policy-3.14.3-28.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3

Comment 8 Fedora Update System 2019-04-12 02:47:02 UTC

selinux-policy-3.14.3-28.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3

Comment 9 Fedora Update System 2019-04-12 09:50:23 UTC

selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a

Comment 10 Fedora Update System 2019-04-13 00:05:28 UTC

selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.