Bug 1743758
Summary: | Failed to insert module 'ip_tables': Operation not permitted | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Orion Poplawski <orion> |
Component: | systemd | Assignee: | systemd-maint |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Frantisek Sumsal <fsumsal> |
Severity: | low | Docs Contact: | |
Priority: | unspecified | ||
Version: | 8.0 | CC: | jsynacek, lvrabec, mmalik, systemd-maint-list |
Target Milestone: | rc | ||
Target Release: | 8.0 | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-09-05 07:01:55 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2019-08-20 15:49:44 UTC
This looks like some kind of a race condition, but I'm not able to pinpoint the exact cause. It's definitely caused by selinux either not being in a proper state yet, or a wrongly labelled file system. https://github.com/systemd-rhel/rhel-8/blob/master/src/core/main.c#L2202-L2290 We call several selinux initializing functions first and then we call kmod_setup(), which tries to insert the module and fails. I don't see any problem with the call sequence. @lvrabec, could you please check if we do everything correctly? This problem can be worked around by putting selinux to permissive or simply modprobing the module after boot. Also, there are no avcs. At least I can't see any when using ausearch -m avc, which is further indicative of selinux being in an improper state. This actually looks like a duplicate of #1743758, which contains a fix for selinux-policy. I'll keep this one open for now. You meant BZ#1644805, right? Hi Jan, We have this issue covered here: https://bugzilla.redhat.com/show_bug.cgi?id=1644805 Some fixes still needs to be added to RHEL-8.2 but workaround is easy: # cat extra.cil ( allow init_t init_t ( capability ( sys_module ))) # semodule -i extra.cil This could be closed, it's selinux-policy issue. Thanks, Lukas. Yes, I meant #1644805, sorry. Thank you! |