Bug 2034463
| Summary: | [RHEL9] SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | guazhang <guazhang> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | lvrabec, mmalik, ssekidde |
| Target Milestone: | rc | Keywords: | AutoVerified, Triaged |
| Target Release: | 9.0 | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-34.1.21-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-17 15:50:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Hi, What are the conditions to trigger this issue? Is there some specal configuration/hardware needed? Is fcoemon started as a systemd service? Hi,
it easy to reproduce the bug .
1. setup bnx2fc fcoe envronment and discover luns
2. reboot
3. systemctl restart fcoe
Jan 5 21:04:55 storageqe-16 setroubleshoot[2996]: SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t. For complete SELinux messages run: sealert -l 47fb6716-5e81-4a02-be88-77ab092a227e
Jan 5 21:04:55 storageqe-16 setroubleshoot[2996]: SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow domain to kernel load modules#012Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.#012#012Do#012setsebool -P domain_kernel_load_modules 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that fcoemon should be allowed module_request access on system labeled kernel_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'fcoemon' --raw | audit2allow -M my-fcoemon#012# semodule -X 300 -i my-fcoemon.pp#012
# sealert -l 47fb6716-5e81-4a02-be88-77ab092a227e
SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow domain to kernel load modules
Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.
Do
setsebool -P domain_kernel_load_modules 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that fcoemon should be allowed module_request access on system labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'fcoemon' --raw | audit2allow -M my-fcoemon
# semodule -X 300 -i my-fcoemon.pp
Additional Information:
Source Context system_u:system_r:fcoemon_t:s0
Target Context system_u:system_r:kernel_t:s0
Target Objects Unknown [ system ]
Source fcoemon
Source Path /usr/sbin/fcoemon
Port <Unknown>
Host storageqe-16.sqe.lab.eng.bos.redhat.com
Source RPM Packages fcoe-utils-1.0.34-0.git14ef0d2.el9.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.1.20-1.el9.noarch
Local Policy RPM selinux-policy-targeted-34.1.20-1.el9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name storageqe-16.sqe.lab.eng.bos.redhat.com
Platform Linux storageqe-16.sqe.lab.eng.bos.redhat.com
5.14.0-39.el9.x86_64 #1 SMP PREEMPT Fri Dec 24
00:07:58 EST 2021 x86_64 x86_64
Alert Count 4
First Seen 2022-01-05 21:04:52 EST
Last Seen 2022-01-05 21:04:52 EST
Local ID 47fb6716-5e81-4a02-be88-77ab092a227e
Raw Audit Messages
type=AVC msg=audit(1641434692.558:116): avc: denied { module_request } for pid=2995 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
type=SYSCALL msg=audit(1641434692.558:116): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffdd90301c0 a3=7fec871ae3e0 items=0 ppid=1 pid=2995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fcoemon exe=/usr/sbin/fcoemon subj=system_u:system_r:fcoemon_t:s0 key=(null)
Hash: fcoemon,fcoemon_t,kernel_t,system,module_request
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (new packages: selinux-policy), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:3918 |
Description of problem: avc check error and get error SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t Version-Release number of selected component (if applicable): selinux-policy-34.1.20-1.el9.noarch RHEL-9.0.0-20211216.2 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: * ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** ** Last login: Mon Dec 20 21:17:59 2021 from 10.72.12.73 [root@storageqe-67 ~]# sealert -l 53dfe07a-9498-44bd-819a-109787cf4dde SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that fcoemon should be allowed module_request access on system labeled kernel_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fcoemon' --raw | audit2allow -M my-fcoemon # semodule -X 300 -i my-fcoemon.pp Additional Information: Source Context system_u:system_r:fcoemon_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source fcoemon Source Path /usr/sbin/fcoemon Port <Unknown> Host storageqe-67.rhts.eng.pek2.redhat.com Source RPM Packages fcoe-utils-1.0.34-0.git14ef0d2.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.1.20-1.el9.noarch Local Policy RPM selinux-policy-targeted-34.1.20-1.el9.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name storageqe-67.rhts.eng.pek2.redhat.com Platform Linux storageqe-67.rhts.eng.pek2.redhat.com 5.14.0-32.el9.x86_64 #1 SMP PREEMPT Thu Dec 16 00:20:53 EST 2021 x86_64 x86_64 Alert Count 24 First Seen 2021-12-20 20:19:25 EST Last Seen 2021-12-20 20:48:21 EST Local ID 53dfe07a-9498-44bd-819a-109787cf4dde Raw Audit Messages type=AVC msg=audit(1640051301.119:36): avc: denied { module_request } for pid=1356 comm="fcoemon" kmod="8021q" scon0 type=SYSCALL msg=audit(1640051301.119:36): arch=x86_64 syscall=ioctl success=no exit=ENOPKG a0=8 a1=8982 a2=7ffea5a184) Hash: fcoemon,fcoemon_t,kernel_t,system,module_request [root@storageqe-67 ~]# ausearch -c 'fcoemon' --raw | audit2allow -M my-fcoemon Nothing to do [root@storageqe-67 ~]# semodule -X 300 -i my-fcoemon.pp libsemanage.map_file: Unable to open my-fcoemon.pp (No such file or directory). libsemanage.semanage_direct_install_file: Unable to read file my-fcoemon.pp (No such file or directory). semodule: Failed on my-fcoemon.pp! [root@storageqe-67 ~]# Dec 20 20:19:28 storageqe-67 setroubleshoot[1366]: SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t. For complete SELinux messages run: sealert -l 53dfe07a-9498-44bd-819a-109787cf4dde Dec 20 20:19:28 storageqe-67 setroubleshoot[1366]: SELinux is preventing /usr/sbin/fcoemon from module_request access on the system labeled kernel_t.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow domain to kernel load modules#012Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.#012#012Do#012setsebool -P domain_kernel_load_modules 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that fcoemon should be allowed module_request access on system labeled kernel_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'fcoemon' --raw | audit2allow -M my-fcoemon#012# semodule -X 300 -i my-fcoemon.pp#012 SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 selinux-policy-34.1.20-1.el9.noarch ---- time->Mon Dec 20 20:19:25 2021 type=PROCTITLE msg=audit(1640049565.129:33): proctitle=2F7573722F7362696E2F66636F656D6F6E002D2D666F726567726F756E64002D2D64656275673D244445425547002D2D7379736C6F673D245359534C4F47 type=SYSCALL msg=audit(1640049565.129:33): arch=c000003e syscall=16 success=no exit=-65 a0=7 a1=8982 a2=7ffd13ebd2f0 a3=7ff389ee83e0 items=0 ppid=1 pid=1358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fcoemon" exe="/usr/sbin/fcoemon" subj=system_u:system_r:fcoemon_t:s0 key=(null) type=AVC msg=audit(1640049565.129:33): avc: denied { module_request } for pid=1358 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 ---- time->Mon Dec 20 20:19:25 2021 type=PROCTITLE msg=audit(1640049565.477:36): proctitle=2F7573722F7362696E2F66636F656D6F6E002D2D666F726567726F756E64002D2D64656275673D244445425547002D2D7379736C6F673D245359534C4F47 type=SYSCALL msg=audit(1640049565.477:36): arch=c000003e syscall=16 success=no exit=-65 a0=8 a1=8982 a2=7ffd13ebd2f0 a3=7ff389ee83e0 items=0 ppid=1 pid=1358 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fcoemon" exe="/usr/sbin/fcoemon" subj=system_u:system_r:fcoemon_t:s0 key=(null) type=AVC msg=audit(1640049565.477:36): avc: denied { module_request } for pid=1358 comm="fcoemon" kmod="8021q" scontext=system_u:system_r:fcoemon_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0 https://beaker.engineering.redhat.com/recipes/11168945#task137130136,task137130138 http://lab-04.rhts.eng.pek2.redhat.com/beaker/logs/results/643536+/643536993/avc.log