1698097 – SELinux causes the "Kernel driver not installed (rc = -1908)" error when running guest machines in VirtualBox.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1698097 - SELinux causes the "Kernel driver not installed (rc = -1908)" error when running guest machines in VirtualBox.

Summary: SELinux causes the "Kernel driver not installed (rc = -1908)" error when runn...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	30
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-04-09 15:45 UTC by Gleb Yeliseev
Modified:	2019-04-30 11:34 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.14.3-29.fc30
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-04-13 00:05:30 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
"ausearch -m avx" result (2.26 KB, text/plain) 2019-04-09 15:45 UTC, Gleb Yeliseev	no flags	Details
"ausearch -m avc" result (38.50 KB, text/plain) 2019-04-09 15:47 UTC, Gleb Yeliseev	no flags	Details
View All

Description Gleb Yeliseev 2019-04-09 15:45:33 UTC

Created attachment 1553875 [details]
"ausearch -m avx" result

Description of problem:

SELinux causes the "Kernel driver not installed (rc = -1908)" error when running guest machines in VirtualBox (from rpmfusion).
The result of the "systemctl restart systemd-modules-load.service" command:

Failed to lookup module alias 'vboxdrv': Function not implemented
Failed to lookup module alias 'vboxnetflt': Function not implemented
Failed to lookup module alias 'vboxnetadp': Function not implemented
Failed to lookup module alias 'vboxpci': Function not implemented
systemd [1]: systemd-modules-load.service: Main process exited, code = exited, status = 1 / FAILURE
systemd [1]: systemd-modules-load.service: Failed with result 'exit-code'.
systemd [1]: Failed to start Load Kernel Modules. 

Akmods command output: 
Checking kmods exist for 5.0.6-300.fc30.x86_64 [OK]

Version-Release number of selected component (if applicable):
kernel: 5.0.6-300.fc30.x86_64
selinux-policy-3.14.3-27.fc30.noarch
VirtualBox-6.0.4-2.fc30.x86_64
dkms-2.6.1-3.fc30.noarch

Steps to Reproduce:
1. enable secure boot

2. sudo dnf install @development-tools
   sudo dnf install kernel-devel kernel-headers dkms qt5-qtx11extras  elfutils-   libelf-devel zlib-devel
   sudo usermod -a -G vboxusers $USER

3. openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Someorganization.com/"

4. for f in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $f"; sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $f; done

5. sudo mokutil --import MOK.der

6. reboot, select “Enroll MOK”, then “Continue”, and then “Yes”;

7. try to run some guest machine 

Actual results:

Kernel driver not installed (rc = -1908)


Expected results:

The guest OS is running.

8. edit the /etc/selinux/config file as follows (switch to permissive mode):

 This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

9. reboot and try to run some guest machine

Actual results:

The guest OS is running.

Additional info:
1. mokutil --sb-state
   SecureBoot enabled
2. sudo mokutil --list-enrolled
   My certificate is in the list of enrolled certificates.
3. dgmesg | grep cert
[    2.758905] Loading compiled-in X.509 certificates
[    2.839792] Loaded X.509 cert 'Fedora kernel signing key: f3d58d4c27c9324ae906085cc56865624e714874'
[    2.880534] integrity: Loading X.509 certificate: UEFI:db
[    2.880615] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53'
[    2.880617] integrity: Loading X.509 certificate: UEFI:db
[    2.880661] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4'
[    2.880662] integrity: Loading X.509 certificate: UEFI:db
[    2.881103] integrity: Loaded X.509 cert 'Wistron Secure Flash: 34988c042fea03ab4cf14666886666c5'
[    2.881104] integrity: Loading X.509 certificate: UEFI:db
[    2.881134] integrity: Loaded X.509 cert 'Acer Database: 84f00f5841571abd2cc11a8c26d5c9c8d2b6b0b5'
[    2.881292] integrity: Loading X.509 certificate: UEFI:MokListRT
[    2.881926] integrity: Loaded X.509 cert 'boot_key: 30f9aec637b6bcf0286df26ebe1c9bea4011972e'
[    2.881929] integrity: Loading X.509 certificate: UEFI:MokListRT
[    2.882819] integrity: Loaded X.509 cert 'Someorganization.com: 7c5fbeec6136e070427b9708165e2618be601382'
[    2.882820] integrity: Loading X.509 certificate: UEFI:MokListRT
[    2.883727] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42'
[   63.547343] cfg80211: Loading compiled-in X.509 certificates for regulatory database
[   63.561178] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7'

4. ausearch -m avx
   see attachments
5. ausearch -m avс
   see attachments

Comment 1 Gleb Yeliseev 2019-04-09 15:47:20 UTC

Created attachment 1553876 [details]
"ausearch -m avc" result

Comment 2 Lukas Vrabec 2019-04-09 17:19:31 UTC

https://github.com/fedora-selinux/selinux-policy/commit/021823926ae7bff86e92ea8d119d5150c0d89a63

Comment 3 Fedora Update System 2019-04-10 12:01:27 UTC

selinux-policy-3.14.3-28.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3

Comment 4 Fedora Update System 2019-04-12 02:47:04 UTC

selinux-policy-3.14.3-28.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3

Comment 5 Fedora Update System 2019-04-12 09:50:25 UTC

selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a

Comment 6 Fedora Update System 2019-04-13 00:05:30 UTC

selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.

Comment 7 Michael 2019-04-30 09:19:32 UTC

Will this be backported to Fedora 29 as well?

Comment 8 Lukas Vrabec 2019-04-30 09:33:12 UTC

Are you facing same issue also on Fedora 29?

Comment 9 Michael 2019-04-30 09:39:45 UTC

I'm experiencing the same symptoms, yes.

I have a self-signed kernel module and the key is enrolled with mokutil.
I can see the key when I perform a mokutil --list-enrolled.

But when I try to load the module with modprobe, I'm getting:
modprobe: ERROR: could not insert '***': Operation not permitted

'dmesg' output is:
PKCS#7 signature not signed with a trusted key

'keyctl list %:.builtin_trusted_keys' gives me:
1 key in keyring:
892539136: ---lswrv     0     0 asymmetric: Fedora kernel signing key: 6f4b0dfe2ebeeac4fb22935af6b2fffa759129af

which way too less...

I haven't checked with SELinux permissive mode. But I will shortly...

Comment 10 Michael 2019-04-30 10:14:46 UTC

Seems like SELinux is not the culprit.

Any other idea why the certificates show up in mokutil, in dmesg but NOT in the keyring?

Comment 11 Michael 2019-04-30 11:34:58 UTC

The same symptoms are caused by something different on Fedora 29.
See https://bugzilla.redhat.com/show_bug.cgi?id=1701096.

Note You need to log in before you can comment on or make changes to this bug.