Bug 1426741
| Summary: | SELinux is preventing modprobe from 'module_load' accesses on the system /usr/lib/modules/4.9.10-200.fc25.x86_64/extra/nvidia-340xx/nvidia.ko. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alexander Ploumistos <alex.ploumistos> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 25 | CC: | alan.ernhart, bigletter, cliff.free, daniell1, dominick.grift, dwalsh, fedora, hannsj_uhl, jch, johann.scheepers, jython234, kacnow, klaus, linuxat400, lvrabec, madsmh, mgrepl, msdeleonpeque, plautrba, pmoore, red, sergei.litvinenko, sevo65, ssekidde, sudhir, szoke.karcsi |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:1167f2d670402b2f219315c68e0dee1c51b4d364ac58aeece3f383eb8bbf18b1; | ||
| Fixed In Version: | selinux-policy-3.13.1-225.11.fc25 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-02-28 08:49:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Description of problem: After automatic install of new package, kmod-wl-4.9.11-200.fc25.x86_64.x86_64 6.30.223.271-7.fc25, the system no longer able to insert the wl module. # modprobe wl modprobe: ERROR: could not insert 'wl': Permission denied When I disable SELiinux, it works again: # setenforce 0 # modprobe wl # setenforce 1 Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport This problem also bit me today in a slightly different way.
I received the SELinux update together with some MESA updates, so I decided to uninstall the NVIDIA proprietary driver first. Now the NVIDIA installer fails because it's unable to load the kernel module after compiling it.
type=AVC msg=audit(1488099764.479:160): avc: denied { module_load } for pid=4922 comm="nvidia-installe" path="/tmp/selfgz4888/NVIDIA-Linux-x86_64-378.13/kernel/nvidia.ko" dev="tmpfs" ino=25841 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=system permissive=0
Note in this case the module resides in a tmpfs with an unpredictable path due to the self-extracting installer.
Description of problem: 1 Ran a dnf update in a Fedora 25 Virtualbox guest. 2 sudo reboot 3 mount VBOXADDITIONS_5.0.32_112930 CD image 3 run ./VBoxLinuxAdditions.run 4 SELinux gives an error indicating modprobe is blocked form doing module_load near the end of the process. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport Similar problem:
Here is my log.
Feb 26 06:20:40 Study.localdomain audit[673]: AVC avc: denied { module_load } for pid=673 comm="systemd-udevd" path="/usr/lib/modules/4.9.11-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="dm-0" ino=3032718 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 06:20:40 Study.localdomain audit[673]: SYSCALL arch=c000003e syscall=313 success=no exit=-13 a0=10 a1=7f839e96b995 a2=0 a3=10 items=0 ppid=653 pid=673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Feb 26 06:20:40 Study.localdomain audit: PROCTITLE proctitle="/usr/lib/systemd/systemd-udevd"
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1400 audit(1488108040.210:64): avc: denied { module_load } for pid=673 comm="systemd-udevd" path="/usr/lib/modules/4.9.11-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="dm-0" ino=3032718 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1300 audit(1488108040.210:64): arch=c000003e syscall=313 success=no exit=-13 a0=10 a1=7f839e96b995 a2=0 a3=10 items=0 ppid=653 pid=673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1327 audit(1488108040.210:64): proctitle="/usr/lib/systemd/systemd-udevd"
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1400 audit(1488108040.210:65): avc: denied { module_load } for pid=673 comm="systemd-udevd" path="/usr/lib/modules/4.9.11-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="dm-0" ino=3032718 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1300 audit(1488108040.210:65): arch=c000003e syscall=313 success=no exit=-13 a0=11 a1=7f839e96b995 a2=0 a3=11 items=0 ppid=653 pid=673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
Feb 26 06:20:40 Study.localdomain kernel: audit: type=1327 audit(1488108040.210:65): proctitle="/usr/lib/systemd/systemd-udevd"
Feb 26 06:20:40 Study.localdomain audit[673]: AVC avc: denied { module_load } for pid=673 comm="systemd-udevd" path="/usr/lib/modules/4.9.11-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="dm-0" ino=3032718 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 06:20:40 Study.localdomain audit[673]: SYSCALL arch=c000003e syscall=313 success=no exit=-13 a0=11 a1=7f839e96b995 a2=0 a3=11 items=0 ppid=653 pid=673 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-udevd" exe="/usr/lib/systemd/systemd-udevd" subj=system_u:system_r:udev_t:s0-s0:c0.c1023 key=(null)
I can create a policy to load it with modprobe but not with systemd-udevd as it doesnt put out the full message to the logs with how to do it.
Description of problem: Standard update and reboot. After reboot nvidia.ko was not loaded any more. Manual loaded by `modprobe nvidia` return error - permission deny Relabeling do not help. Disabling SELinux help. It looks like issue is related to update selinux. selinux-policy.noarch 3.13.1-225.10.fc25 selinux-policy-devel.noarch 3.13.1-225.10.fc25 selinux-policy-doc.noarch 3.13.1-225.10.fc25 selinux-policy-targeted.noarch 3.13.1-225.10.fc25 Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.12-200.fc25.x86_64 type: libreport This is how I solved it
sudo echo "type=AVC msg=audit(1488128621.443:65): avc: denied { module_load } for pid=663 comm="systemd-udevd" path="/usr/lib/modules/4.9.11-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="dm-0" ino=137785 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0"| audit2allow -M my-modprobe
and then followed the apply instructions.
I have used reccomendation of selinux diagnostic and have created by
# ausearch -c 'modprobe' --raw | audit2allow -M my-nvidia
[root@homedesk ~]# cat my-nvidia.te
--
module my-nvidia 1.0;
require {
type modules_object_t;
type unconfined_t;
class system module_load;
}
#============= unconfined_t ==============
allow unconfined_t modules_object_t:system module_load;
--
But installing of this rule do not help
--
[root@homedesk log]# grep denied messages
Feb 26 21:28:14 homedesk audit: AVC avc: denied { module_load } for pid=682 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1
Feb 26 22:02:10 homedesk audit: AVC avc: denied { module_load } for pid=683 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1
Feb 26 22:06:25 homedesk audit: AVC avc: denied { module_load } for pid=690 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 22:06:25 homedesk audit: AVC avc: denied { module_load } for pid=690 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 22:09:22 homedesk audit: AVC avc: denied { module_load } for pid=683 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 22:09:22 homedesk audit: AVC avc: denied { module_load } for pid=683 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
Feb 26 22:23:23 homedesk audit: AVC avc: denied { module_load } for pid=675 comm="systemd-udevd" path="/usr/lib/modules/4.9.12-200.fc25.x86_64/extra/nvidia/nvidia.ko" dev="sda4" ino=1592990 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=1
--
OK, set standatd setting SELINUX=enforcing and boot into level 3
--
[root@homedesk ~]# lsmod | grep nvidia
==> module is not loaded
==> try to load it manually
[root@homedesk ~]# modprobe nvidia
[ 76.455295] nvidia: loading out-of-tree module taints kernel.
[ 76.457423] nvidia: module license 'NVIDIA' taints kernel.
[ 76.459490] Disabling lock debugging due to kernel taint
[ 76.467480] nvidia: module verification failed: signature and/or required key missing - tainting kernel
[ 76.478471] vgaarb: device changed decodes: PCI:0000:01:00.0,olddecodes=io+mem,decodes=none:owns=io+mem
[ 76.480409] nvidia-nvlink: Nvlink Core is being initialized, major device number 240
[ 76.482540] NVRM: loading NVIDIA UNIX x86_64 Kernel Module 375.26 Thu Dec 8 18:36:43 PST 2016[ 76.482633] (using threaded interrupts)
[ 76.486043]
--
So, module can be loaded manually, but not in boot time.
PS: In case of SELINUX=permissive, module will be loaded in boot time
Description of problem: ok pode continuar. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport Description of problem: instalacao do virtual box deve ser liberada Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport Description of problem: Just updated the computer with a "sudo dnf upgrade" command. After that selinux refuses to load the nvidia kernel module. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.10-200.fc25.x86_64 type: libreport Description of problem: modprobe vboxdrv results in selinux block and alert Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport Description of problem: This happened after upgrading to the latest kernel (and selinux packages) after which virtualbox rebuilt its kernel modules. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport Downgrading to `selinux-policy-3.13.1-224.fc25` seems to fix the issues I was having with my display and the proprietary NVIDIA drivers:
sudo dnf --allowerasing install selinux-policy-3.13.1-224.fc25
selinux-policy-3.13.1-225.11.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b >> selinux-policy-3.13.1-225.11.fc25
Looks OK, SELINUX=enforcing
Nvidia module is loaded as expected in boot time
Installation from the installer is still not working with the upgrade. Should I open a new bug?
type=AVC msg=audit(1488227814.767:163): avc: denied { module_load } for pid=4939 comm="nvidia-installe" path="/tmp/selfgz4905/NVIDIA-Linux-x86_64-378.13/kernel/nvidia.ko" dev="tmpfs" ino=25309 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=system permissive=1
selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e06f91350b selinux-policy-3.13.1-225.11.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. Description of problem: Happens with latest selinux policies only. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.12-201.ReD.fc25.x86_64 type: libreport selinux-policy-3.13.1-225.11.fc25.noarch doesn't work. I can still not build nvidia module. See the logs here https://github.com/Bumblebee-Project/Bumblebee/issues/153#issuecomment-283097478 Description of problem: After SELinux policy upgrade through DNF, bbswitch kernel module failed to be inserted due to SELinux. BBswitch is an important kernel module used to switch mobile NVIDIA GPUs on and off. Version-Release number of selected component: selinux-policy-3.13.1-225.10.fc25.noarch Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.12-200.fc25.x86_64 type: libreport (In reply to Szőke Károly from comment #1) > Description of problem: > After automatic install of new package, > kmod-wl-4.9.11-200.fc25.x86_64.x86_64 6.30.223.271-7.fc25, the system no > longer able to insert the wl module. > # modprobe wl > modprobe: ERROR: could not insert 'wl': Permission denied > > When I disable SELiinux, it works again: > # setenforce 0 > # modprobe wl > # setenforce 1 > > Version-Release number of selected component: > selinux-policy-3.13.1-225.10.fc25.noarch > > Additional info: > reporter: libreport-2.8.0 > hashmarkername: setroubleshoot > kernel: 4.9.11-200.fc25.x86_64 > type: libreport I got these packages now: selinux-policy-3.13.1-225.11.fc25.noarch selinux-policy-targeted-3.13.1-225.11.fc25.noarch and it works perfectly. Thank you. It seems that selinux-policy[-targeted]-3.13.1-225.11.fc25.noarch works for some and not others. It doesn't work for me installing ksplice updates:
audit: AVC avc: denied { module_load } for pid=6378 comm="insmod" path=2F7661722F63616368652F7570747261636B2F4C696E75782F7838365F36342F342E392E362D3230302E666332352E7838365F36342F233120534D5020546875204A616E2032362031303A31373A34352055544320323031372F757064617465732F6B73706C6963652D633137646575667A2F6B73706C6963652D633137646575667A2E6B6F dev="sda4" ino=2319568 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=system permissive=1
(obviously it works with permissive)
I can add an fcontext for this:
semanage fcontext -a -t modules_object_t '/var/cache/uptrack/Linux(/.*)?'
but I'm not at all sure what the general solution should be.
Just a Thank you: 3.13.1-225.10 started failure of kmod-wl (rpmfusion for broadcom on Macbook) to load on boot. The 3.13.1-225.11.fc25 has fixed the issue. Unfortunately selinux-policy-3.13.1-225.10.fc25 started making problems on one of my systems:
type=AVC msg=audit(1488238684.354:208): avc: denied { module_load } for pid=1158 comm="modprobe" path="/usr/lib/modules/4.9.11-200.fc25.armv7hl/kernel/drivers/md/dm-crypt.ko" dev="mmcblk0p3" ino=6785000 scontext=system_u:system_r:insmod_t:s0 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0
I came across it after a server didn't get up, because it couldn't encrypt a drive.
Sorry, I've seen too late, that I didn't have the current version... 3.13.1-225.11.fc25 is working fine! Thanks for the quick fix! |
Description of problem: It happened at first boot after upgrading selinux-policy to 3.13.1-225.10.fc25 from updates-testing. SELinux is preventing modprobe from 'module_load' accesses on the system /usr/lib/modules/4.9.10-200.fc25.x86_64/extra/nvidia-340xx/nvidia.ko. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that modprobe should be allowed module_load access on the nvidia.ko system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'modprobe' --raw | audit2allow -M my-modprobe # semodule -X 300 -i my-modprobe.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:modules_object_t:s0 Target Objects /usr/lib/modules/4.9.10-200.fc25.x86_64/extra/nvid ia-340xx/nvidia.ko [ system ] Source modprobe Source Path modprobe Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM <Unknown> Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.9.10-200.fc25.x86_64 #1 SMP Wed Feb 15 23:28:59 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-02-24 19:38:01 EET Last Seen 2017-02-24 19:38:01 EET Local ID 9038c903-12d0-4d1c-9823-ad62a193c40f Raw Audit Messages type=AVC msg=audit(1487957881.109:279): avc: denied { module_load } for pid=1812 comm="modprobe" path="/usr/lib/modules/4.9.10-200.fc25.x86_64/extra/nvidia-340xx/nvidia.ko" dev="md0" ino=3932799 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=system permissive=0 Hash: modprobe,unconfined_t,modules_object_t,system,module_load Additional info: reporter: libreport-2.8.0 hashmarkername: setroubleshoot kernel: 4.9.11-200.fc25.x86_64 type: libreport