Bug 1743758

Summary: Failed to insert module 'ip_tables': Operation not permitted
Product: Red Hat Enterprise Linux 8 Reporter: Orion Poplawski <orion>
Component: systemdAssignee: systemd-maint
Status: CLOSED CURRENTRELEASE QA Contact: Frantisek Sumsal <fsumsal>
Severity: low Docs Contact:
Priority: unspecified    
Version: 8.0CC: jsynacek, lvrabec, mmalik, systemd-maint-list
Target Milestone: rc   
Target Release: 8.0   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-09-05 07:01:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Orion Poplawski 2019-08-20 15:49:44 UTC 
Description of problem:

During early boot:

Aug 20 09:11:14 localhost.localdomain systemd[1]: Successfully loaded SELinux policy in 544.018ms.
Aug 20 09:11:14 localhost.localdomain systemd[1]: Failed to insert module 'ip_tables': Operation not permitted
Aug 20 09:11:14 localhost.localdomain systemd[1]: Relabelled /dev, /run and /sys/fs/cgroup in 49.266ms.
Aug 20 09:11:14 localhost.localdomain systemd[1]: systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)

Version-Release number of selected component (if applicable):
systemd-239-13.el8_0.5.x86_64

How reproducible:
Every boot on this VM.

Expected results:
No error messages on successful and normal boot.
Comment 1 Jan Synacek 2019-09-04 09:43:43 UTC 
This looks like some kind of a race condition, but I'm not able to pinpoint the exact cause. It's definitely caused by selinux either not being in a proper state yet, or a wrongly labelled file system.

https://github.com/systemd-rhel/rhel-8/blob/master/src/core/main.c#L2202-L2290

We call several selinux initializing functions first and then we call kmod_setup(), which tries to insert the module and fails. I don't see any problem with the call sequence. @lvrabec, could you please check if we do everything correctly?

This problem can be worked around by putting selinux to permissive or simply modprobing the module after boot. Also, there are no avcs. At least I can't see any when using ausearch -m avc, which is further indicative of selinux being in an improper state.
Comment 2 Jan Synacek 2019-09-04 13:53:41 UTC 
This actually looks like a duplicate of #1743758, which contains a fix for selinux-policy. I'll keep this one open for now.
Comment 3 Milos Malik 2019-09-04 14:19:08 UTC 
You meant BZ#1644805, right?
Comment 4 Lukas Vrabec 2019-09-04 15:47:09 UTC 
Hi Jan, 

We have this issue covered here: 
https://bugzilla.redhat.com/show_bug.cgi?id=1644805 

Some fixes still needs to be added to RHEL-8.2 but workaround is easy: 

# cat extra.cil
( allow init_t init_t ( capability ( sys_module )))
# semodule -i extra.cil

This could be closed, it's selinux-policy issue.

Thanks,
Lukas.
Comment 5 Jan Synacek 2019-09-05 07:01:55 UTC 
Yes, I meant #1644805, sorry. Thank you!