Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1698200 - selinux-policy-3.14.3-27.fc30 broke systemd-modules-load.service loading (denials for modules.softdep and modules.dep.bin)
Summary: selinux-policy-3.14.3-27.fc30 broke systemd-modules-load.service loading (den...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: openqa
: 1699559 (view as bug list)
Depends On:
Blocks: F30FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2019-04-09 19:41 UTC by Adam Williamson
Modified: 2020-05-13 15:50 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-29.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-04-13 00:05:31 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Adam Williamson 2019-04-09 19:41:57 UTC 
openQA tests actually caught this:

https://openqa.fedoraproject.org/tests/378325

but I did not notice in time to stop the update going stable, sorry :(. That update - selinux-policy-3.14.3-27.fc30 - seems to have broken systemd-modules-load.service . It shows up as 'failed' on boot after the update is installed. The journal shows several AVCs and then the service fails:

Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:67): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:68): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:69): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.alias.bin" dev="dm-0" ino=674714 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain systemd-modules-load[623]: Failed to lookup module alias 'fuse': Function not implemented
Apr 05 11:00:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE

Proposing as a Final blocker, as this violates "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present." - https://fedoraproject.org/wiki/Fedora_30_Final_Release_Criteria#System_services
Comment 1 Zbigniew Jędrzejewski-Szmek 2019-04-10 07:47:53 UTC 
Hmm. tcontext=unconfined_u:object_r:modules_dep_t:s0 looks a bit fishy.

On my machine I have:
$ ls -Z /usr/lib/modules/5.0.6-300.fc30.x86_64/
    system_u:object_r:modules_object_t:s0 bls.conf
    system_u:object_r:modules_object_t:s0 build@
    system_u:object_r:modules_object_t:s0 config
    system_u:object_r:modules_object_t:s0 extra/
    system_u:object_r:modules_object_t:s0 kernel/
unconfined_u:object_r:modules_object_t:s0 modules.alias
unconfined_u:object_r:modules_object_t:s0 modules.alias.bin
    system_u:object_r:modules_object_t:s0 modules.block
    system_u:object_r:modules_object_t:s0 modules.builtin
unconfined_u:object_r:modules_object_t:s0 modules.builtin.bin
unconfined_u:object_r:modules_object_t:s0 modules.dep
unconfined_u:object_r:modules_object_t:s0 modules.dep.bin
unconfined_u:object_r:modules_object_t:s0 modules.devname
    system_u:object_r:modules_object_t:s0 modules.drm
    system_u:object_r:modules_object_t:s0 modules.modesetting
    system_u:object_r:modules_object_t:s0 modules.networking
    system_u:object_r:modules_object_t:s0 modules.order
unconfined_u:object_r:modules_object_t:s0 modules.softdep
unconfined_u:object_r:modules_object_t:s0 modules.symbols
unconfined_u:object_r:modules_object_t:s0 modules.symbols.bin
    system_u:object_r:modules_object_t:s0 source@
    system_u:object_r:modules_object_t:s0 System.map
    system_u:object_r:modules_object_t:s0 updates/
    system_u:object_r:modules_object_t:s0 vdso/
               system_u:object_r:usr_t:s0 vmlinuz*

The ones with unconfined_u appear to be stuff created by kernel-install when called
from kernel.rpm's %post.
The other files are installed directly by rpm.
So maybe it's a question of wrong contexts, not missing permissions.
Comment 2 Lukas Vrabec 2019-04-10 08:27:07 UTC 
commit 021823926ae7bff86e92ea8d119d5150c0d89a63
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 9 10:27:54 2019 +0200

    Allow systemd_modules_load to read modules_dep_t files
Comment 3 Fedora Update System 2019-04-12 23:59:03 UTC 
selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a
Comment 4 Fedora Update System 2019-04-13 00:05:31 UTC 
selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 taaem 2019-04-14 13:58:47 UTC 
*** Bug 1699559 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.