Bug 1422634

Summary: selinux prevents kernel modules from loading
Product: [Fedora] Fedora Reporter: Paul Whalen <pwhalen>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 26CC: awilliam, benj, dominick.grift, dwalsh, gmarr, lvrabec, mgrepl, pbrobinson, plautrba, pmoore, renault, robatino, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: selinux-policy-3.13.1-244.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-14 01:40:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 245418, 1349184    
Attachments:
Description Flags
Rawhide-20170222.n.0 AVC
none
Rawhide-20170222.n.0 journalctl
none
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log
none
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl none

Description Paul Whalen 2017-02-15 18:06:53 UTC
Description of problem:
selinux prevents kernel modules from loading during boot, attempts to manually load modules also fail with permission denied.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-239.fc26.noarch

How reproducible:
Everytime

Steps to Reproduce:
1. Install (using Fedora-Rawhide-20170214.n.0) or upgrade existing system. Reboot

Actual results:
On aarch64 system drops to emergency shell. Attempting to load the vfat driver manually:

[root@localhost ~]# mount -a
mount: unknown filesystem type 'vfat'
[root@localhost ~]# modprobe vfat
modprobe: ERROR: could not insert 'vfat': Permission denied
[root@localhost ~]# setenforce 0
[root@localhost ~]# modprobe vfat


Expected results:
Booted system with login prompt. 


Additional info:

AVCs during boot:
[   12.776721] audit: type=1400 audit(1487177451.340:97): avc:  denied  { module_load } for  pid=605 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/pps/pps_core.ko" dev="dm-0" ino=2490776 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.807757] audit: type=1400 audit(1487177451.340:96): avc:  denied  { module_load } for  pid=608 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/pps/pps_core.ko" dev="dm-0" ino=2490776 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.838800] audit: type=1300 audit(1487177451.340:97): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=605 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   12.871215] audit: type=1300 audit(1487177451.340:96): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=608 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   12.903623] audit: type=1327 audit(1487177451.340:96): proctitle="/usr/lib/systemd/systemd-udevd"
[   12.912498] audit: type=1327 audit(1487177451.340:97): proctitle="/usr/lib/systemd/systemd-udevd"
[   12.921376] audit: type=1400 audit(1487177451.340:98): avc:  denied  { module_load } for  pid=591 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/spi/spi-pl022.ko" dev="dm-0" ino=2490947 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.952481] audit: type=1400 audit(1487177451.340:99): avc:  denied  { module_load } for  pid=593 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/drivers/spi/spi-pl022.ko" dev="dm-0" ino=2490947 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
[   12.983589] audit: type=1300 audit(1487177451.340:98): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=591 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
[   13.015998] audit: type=1300 audit(1487177451.340:99): arch=c00000b7 syscall=273 success=no exit=-13 a0=7 a1=ffff8bf20cd8 a2=0 a3=7 items=0 ppid=579 pid=593 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)

AVC's when attempting modprobe:

type=AVC msg=audit(1487177543.990:126): avc:  denied  { module_load } for  pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177551.520:127): avc:  denied  { module_load } for  pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177559.600:129): avc:  denied  { module_load } for  pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1

Comment 1 Paul Whalen 2017-02-21 15:05:32 UTC
Upgrading to selinux-policy-3.13.1-240.fc26, the system is no longer dropping to an emergency shell, but still fails to load some modules and thus no network on the booted system. AVC's below:

Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/mtd/chips/chipreg.ko" dev="dm-0" ino=135512 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 21 09:47:05 localhost.localdomain audit[467]: AVC avc:  denied  { module_load } for  pid=467 comm="systemd-udevd" path="/usr/lib/modules/4.10.0-0.rc8.git2.1.fc26.aarch64/kernel/drivers/net/virtio_net.ko" dev="dm-0" ino=133714 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0

Comment 2 Peter Robinson 2017-02-21 17:23:12 UTC
Seeing this across aarch64 and ARMv7 across a number of devices.

Comment 3 Paul Whalen 2017-02-22 15:37:45 UTC
Created attachment 1256505 [details]
Rawhide-20170222.n.0 AVC

Comment 4 Paul Whalen 2017-02-22 15:40:14 UTC
Created attachment 1256506 [details]
Rawhide-20170222.n.0 journalctl

Attached avcs and journalctl from Fedora-Minimal-armhfp-Rawhide-20170222.n.0 boot on the wandboard with selinux-policy-3.13.1-241.fc26.noarch.

Comment 5 Paul Whalen 2017-02-22 15:47:24 UTC
Proposing as an Alpha Blocker, without kernel modules many of the system services fail, including network. Citing criteria 'The installed system must be able to download and install updates with the default console package manager.'

Comment 6 Paul Whalen 2017-02-27 18:19:29 UTC
Booting Fedora-Minimal-armhfp-Rawhide-20170226.n.0:

..
[  OK  ] Reached target Switch Root.
         Starting Switch Root...
[   43.241717] systemd-journald[170]: Received SIGTERM from PID 1 (systemd).
[   45.331480] systemd: 16 output lines suppressed due to ratelimiting
[   47.320421] SELinux:  Class sctp_socket not defined in policy.
[   47.326945] SELinux:  Class icmp_socket not defined in policy.
[   47.333148] SELinux:  Class ax25_socket not defined in policy.
[   47.339337] SELinux:  Class ipx_socket not defined in policy.
[   47.345434] SELinux:  Class netrom_socket not defined in policy.
[   47.351799] SELinux:  Class atmpvc_socket not defined in policy.
[   47.358163] SELinux:  Class x25_socket not defined in policy.
[   47.364254] SELinux:  Class rose_socket not defined in policy.
[   47.370435] SELinux:  Class decnet_socket not defined in policy.
[   47.376797] SELinux:  Class atmsvc_socket not defined in policy.
[   47.383160] SELinux:  Class rds_socket not defined in policy.
[   47.389250] SELinux:  Class irda_socket not defined in policy.
[   47.395431] SELinux:  Class pppox_socket not defined in policy.
[   47.401704] SELinux:  Class llc_socket not defined in policy.
[   47.407793] SELinux:  Class can_socket not defined in policy.
[   47.414167] SELinux:  Class tipc_socket not defined in policy.
[   47.420380] SELinux:  Class bluetooth_socket not defined in policy.
[   47.427023] SELinux:  Class iucv_socket not defined in policy.
[   47.433206] SELinux:  Class rxrpc_socket not defined in policy.
[   47.439479] SELinux:  Class isdn_socket not defined in policy.
[   47.445660] SELinux:  Class phonet_socket not defined in policy.
[   47.452022] SELinux:  Class ieee802154_socket not defined in policy.
[   47.458749] SELinux:  Class caif_socket not defined in policy.
[   47.464930] SELinux:  Class alg_socket not defined in policy.
[   47.471019] SELinux:  Class nfc_socket not defined in policy.
[   47.477109] SELinux:  Class vsock_socket not defined in policy.
[   47.483380] SELinux:  Class kcm_socket not defined in policy.
[   47.489469] SELinux:  Class qipcrtr_socket not defined in policy.
[   47.495923] SELinux:  Class smc_socket not defined in policy.
[   47.502017] SELinux: the above unknown classes and permissions will be allowed
[   47.728502] kauditd_printk_skb: 57 callbacks suppressed
[   47.734283] audit: type=1403 audit(1478193440.225:51): policy loaded auid=4294967295 ses=4294967295
[   47.786587] systemd[1]: Successfully loaded SELinux policy in 2.189002s.
[   48.645206] systemd[1]: Relabelled /dev and /run in 655.580ms.
..

Comment 7 Paul Whalen 2017-02-27 18:20:43 UTC
Created attachment 1258178 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 audit.log

Comment 8 Paul Whalen 2017-02-27 18:22:59 UTC
Created attachment 1258180 [details]
Fedora-Minimal-armhfp-Rawhide-20170226 journalctl

Comment 9 Geoffrey Marr 2017-02-27 19:01:47 UTC
Discussed during the 2017-02-27 blocker review meeting: [1]

The decision to classify this bug as an accepted blocker was made as it violates the following Alpha-blocker criteria:

"The installed system must be able to download and install updates with the default console package manager."

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2017-02-27/f26-blocker-review.2017-02-27-17.00.txt

Comment 10 Fedora End Of Life 2017-02-28 11:18:37 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 11 Adam Williamson 2017-03-06 18:01:41 UTC
This is expected to be addressed in the next selinux-policy build, but builds have been failing. Adjusting status to MODIFIED to reflect this.

Comment 12 Adam Williamson 2017-03-09 17:21:20 UTC
SELinux folks, can you please get a build done and an update submitted? We are now one week from Alpha go/no-go. Thanks!

Comment 13 Peter Robinson 2017-03-09 17:26:47 UTC
FYI I just fixed the selinux-policy-3.13.1-244.fc26 build and it's building now, I was planning on submitting it once it was complete so we can at least begin the process to verify that build.

Comment 14 Adam Williamson 2017-03-09 23:22:51 UTC
It failed.
https://koji.fedoraproject.org/koji/taskinfo?taskID=18287440

/usr/bin/semodule_expand tmp/test.lnk tmp/policy.bin
libsepol.expand_terule_helper: conflicting TE rule for (abrt_t, exim_exec_t:process):  old was system_mail_t, new is sendmail_t
libsepol.expand_module: Error during expand
/usr/bin/semodule_expand:  Error while expanding policy
make: *** [Rules.modular:203: validate] Error 1

Comment 15 Peter Robinson 2017-03-10 09:23:38 UTC
Yep, I fixed two other issues and it builds with 'fedpkg local' now but fails in koji.

Comment 16 Lukas Vrabec 2017-03-10 12:00:31 UTC
Sorry guys I was busy these days. Thank you Peter for help on broken builds. I fixed F26 build and it's right now in koji. 

Also rules related to module_load looks fixed: 

# cat avc
type=AVC msg=audit(1487177543.990:126): avc:  denied  { module_load } for  pid=724 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177551.520:127): avc:  denied  { module_load } for  pid=725 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
type=AVC msg=audit(1487177559.600:129): avc:  denied  { module_load } for  pid=727 comm="modprobe" path="/usr/lib/modules/4.10.0-0.rc8.git0.1.fc26.aarch64/kernel/fs/fat/fat.ko" dev="dm-0" ino=2363271 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1

# audit2allow -i avc 


#============= insmod_t ==============

#!!!! This avc is allowed in the current policy
allow insmod_t modules_object_t:system module_load;

#============= unconfined_t ==============

#!!!! This avc is allowed in the current policy
allow unconfined_t modules_object_t:system module_load;

# sesearch -A -s udev_t -t modules_object_t | grep module_load
   allow can_load_kernmodule modules_object_t : system module_load ;

Comment 17 Fedora Update System 2017-03-10 12:10:56 UTC
selinux-policy-3.13.1-244.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

Comment 18 Fedora Update System 2017-03-11 00:22:07 UTC
selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-52e704bb92

Comment 19 Fedora Update System 2017-03-14 01:40:05 UTC
selinux-policy-3.13.1-244.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.