Bug 2056521
| Summary: | Critical mounts cannot be performed when "secure_mode_insmod" is enabled | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED MIGRATED | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 8.5 | CC: | lvrabec, mmalik |
| Target Milestone: | rc | Keywords: | MigratedToJIRA, Triaged |
| Target Release: | 8.10 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-08-17 12:44:24 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
ANSSI recommendations (in French) : https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf |
Description of problem: When "secure_mode_insmod" is enabled, which is the case when applying the ANSSI SCAP profile "xccdf_org.ssgproject.content_profile_anssi_bp28_high", the system fails to boot and enters Emergency mode due to systemd not being able to mount "/boot/efi" ("vfat") and/or "/var/lib/nfs/rpc_pipefs" ("rpc_pipefs"): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # journalctl -b -u boot-efi.mount -u var-lib-nfs-rpc_pipefs.moun -- Logs begin at Mon 2022-02-21 13:37:20 CET, end at Mon 2022-02-21 13:39:16 CET. -- Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting /boot/efi... Feb 21 13:37:22 vm-uefi8 mount[784]: mount: /boot/efi: unknown filesystem type 'vfat'. Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32 Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Failed with result 'exit-code'. Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount /boot/efi. Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting RPC Pipe File System... Feb 21 13:37:22 vm-uefi8 mount[849]: mount: /var/lib/nfs/rpc_pipefs: unknown filesystem type 'rpc_pipefs'. Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Mount process exited, code=exited status=32 Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Failed with result 'exit-code'. Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount RPC Pipe File System. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The reason for this is there is no rule to allow **kmod_t** to load modules: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # sesearch -A -c capability -p sys_module | grep -v "secure_mode_insmod" allow iscsid_t iscsid_t:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_module sys_nice sys_resource }; allow minissdpd_t minissdpd_t:capability { net_admin sys_module }; allow openvswitch_t openvswitch_t:capability { audit_write chown dac_override dac_read_search fowner ipc_lock kill mknod net_admin net_broadcast setgid setpcap setuid sys_module sys_nice sys_rawio sys_resource }; allow vmware_host_t vmware_host_t:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- IMHO we need an exception for **kmod_t** to load modules, something like this: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # cat kmod_load_modules.cil (allow kmod_t self (capability (sys_module))) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- If such solution is not acceptable, then we need some other mechanism to be implemented, in particular for "/boot/efi" which is critical on UEFI systems. Version-Release number of selected component (if applicable): selinux-policy on RHEL8 How reproducible: Always Steps to Reproduce: 1. On UEFI, nothing special to do, on Legacy, install "nfs-utils" package # yum -y install nfs-utils 2. Enable "secure_mode_insmod" # setsebool -P secure_mode_insmod on 3. Reboot Actual results: Emergency prompt (on UEFI due to /boot/efi) Failure starting var-lib-nfs-rpc_pipefs.mount Expected results: No issue Additional info: A workaround is to have the modules be preloaded in the initramfs, through creating a "/etc/modules-load.d/" configuration file and rebuilding all initramfs files: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # echo "vfat" > /etc/modules-load.d/vfat.conf # dracut -f --regenerate-all -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----