Bug 1698200

Summary: selinux-policy-3.14.3-27.fc30 broke systemd-modules-load.service loading (denials for modules.softdep and modules.dep.bin)
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 30CC: dwalsh, lvrabec, mgrepl, plautrba, robatino, taaem, zbyszek, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: openqa
Fixed In Version: selinux-policy-3.14.3-29.fc30 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-13 00:05:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1574715    

Description Adam Williamson 2019-04-09 19:41:57 UTC 
openQA tests actually caught this:

https://openqa.fedoraproject.org/tests/378325

but I did not notice in time to stop the update going stable, sorry :(. That update - selinux-policy-3.14.3-27.fc30 - seems to have broken systemd-modules-load.service . It shows up as 'failed' on boot after the update is installed. The journal shows several AVCs and then the service fails:

Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:67): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:68): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:69): avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc:  denied  { read } for  pid=623 comm="systemd-modules" name="modules.alias.bin" dev="dm-0" ino=674714 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Apr 05 11:00:15 localhost.localdomain systemd-modules-load[623]: Failed to lookup module alias 'fuse': Function not implemented
Apr 05 11:00:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE

Proposing as a Final blocker, as this violates "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present." - https://fedoraproject.org/wiki/Fedora_30_Final_Release_Criteria#System_services
Comment 1 Zbigniew Jędrzejewski-Szmek 2019-04-10 07:47:53 UTC 
Hmm. tcontext=unconfined_u:object_r:modules_dep_t:s0 looks a bit fishy.

On my machine I have:
$ ls -Z /usr/lib/modules/5.0.6-300.fc30.x86_64/
    system_u:object_r:modules_object_t:s0 bls.conf
    system_u:object_r:modules_object_t:s0 build@
    system_u:object_r:modules_object_t:s0 config
    system_u:object_r:modules_object_t:s0 extra/
    system_u:object_r:modules_object_t:s0 kernel/
unconfined_u:object_r:modules_object_t:s0 modules.alias
unconfined_u:object_r:modules_object_t:s0 modules.alias.bin
    system_u:object_r:modules_object_t:s0 modules.block
    system_u:object_r:modules_object_t:s0 modules.builtin
unconfined_u:object_r:modules_object_t:s0 modules.builtin.bin
unconfined_u:object_r:modules_object_t:s0 modules.dep
unconfined_u:object_r:modules_object_t:s0 modules.dep.bin
unconfined_u:object_r:modules_object_t:s0 modules.devname
    system_u:object_r:modules_object_t:s0 modules.drm
    system_u:object_r:modules_object_t:s0 modules.modesetting
    system_u:object_r:modules_object_t:s0 modules.networking
    system_u:object_r:modules_object_t:s0 modules.order
unconfined_u:object_r:modules_object_t:s0 modules.softdep
unconfined_u:object_r:modules_object_t:s0 modules.symbols
unconfined_u:object_r:modules_object_t:s0 modules.symbols.bin
    system_u:object_r:modules_object_t:s0 source@
    system_u:object_r:modules_object_t:s0 System.map
    system_u:object_r:modules_object_t:s0 updates/
    system_u:object_r:modules_object_t:s0 vdso/
               system_u:object_r:usr_t:s0 vmlinuz*

The ones with unconfined_u appear to be stuff created by kernel-install when called
from kernel.rpm's %post.
The other files are installed directly by rpm.
So maybe it's a question of wrong contexts, not missing permissions.
Comment 2 Lukas Vrabec 2019-04-10 08:27:07 UTC 
commit 021823926ae7bff86e92ea8d119d5150c0d89a63
Author: Lukas Vrabec <lvrabec>
Date:   Tue Apr 9 10:27:54 2019 +0200

    Allow systemd_modules_load to read modules_dep_t files
Comment 3 Fedora Update System 2019-04-12 23:59:03 UTC 
selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a
Comment 4 Fedora Update System 2019-04-13 00:05:31 UTC 
selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 5 taaem 2019-04-14 13:58:47 UTC 
*** Bug 1699559 has been marked as a duplicate of this bug. ***