Bug 2149299

Summary: SELinux is preventing zebra from 'module_request' accesses on the system labeled kernel_t.
Product: [Fedora] Fedora Reporter: Brian J. Murrell <brian>
Component: frrAssignee: Michal Ruprich <mruprich>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 37CC: brian, mruprich, tkorbar, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:bd4f92b20b026041e3ebbaa62be579fb0a34dd01f399c6fc9aca9de8a3990aca;
Fixed In Version: frr-8.5.2-4.fc40 frr-8.5.2-2.fc37 frr-8.5.2-2.fc38 frr-8.5.2-4.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-08 13:04:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian J. Murrell 2022-11-29 14:04:07 UTC 
Description of problem:
Don't know why this happened.
SELinux is preventing zebra from 'module_request' accesses on the system labeled kernel_t.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow all domains to have the kernel load modules
Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean.

Do
setsebool -P domain_kernel_load_modules 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that zebra should be allowed module_request access on system labeled kernel_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'zebra' --raw | audit2allow -M my-zebra
# semodule -X 300 -i my-zebra.pp

Additional Information:
Source Context                system_u:system_r:frr_t:s0
Target Context                system_u:system_r:kernel_t:s0
Target Objects                Unknown [ system ]
Source                        zebra
Source Path                   zebra
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.14-1.fc37.noarch
Local Policy RPM              frr-selinux-8.4-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.0.9-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Nov 16 17:36:22 UTC 2022
                              x86_64 x86_64
Alert Count                   2
First Seen                    2022-11-22 08:59:49 EST
Last Seen                     2022-11-26 13:41:22 EST
Local ID                      8917d704-78e3-4eea-be33-4bce05a720f3

Raw Audit Messages
type=AVC msg=audit(1669488082.469:231): avc:  denied  { module_request } for  pid=1239 comm="zebra" kmod="netdev-virbr0" scontext=system_u:system_r:frr_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0


Hash: zebra,frr_t,kernel_t,system,module_request

Version-Release number of selected component:
selinux-policy-targeted-37.14-1.fc37.noarch

Additional info:
component:      frr
reporter:       libreport-2.17.4
hashmarkername: setroubleshoot
kernel:         6.0.9-300.fc37.x86_64
type:           libreport
Comment 1 Michal Ruprich 2023-01-03 13:27:28 UTC 
Hi Brian, are you running frr in a VM? Judging from the netdev-virbr0 device in the AVC message.
Comment 2 Brian J. Murrell 2023-01-03 13:29:50 UTC 
@mruprich No.
Comment 3 Michal Ruprich 2023-01-09 08:52:40 UTC 
Hi Brian, did you have something I could answer here? You set the needinfo but I don't see a question.

Regards,
Michal
Comment 4 Brian J. Murrell 2023-01-09 13:19:07 UTC 
Michal, no, nothing you need to answer.  I was simply answering your question and mentioned your name (@mruprich).  I have been getting an inclination lately that doing so adds the needinfo flag but I am not yet positive.  I guess if this comment sets that flag for you again, we can conclude that it does.
Comment 5 Fedora Update System 2023-09-04 06:41:46 UTC 
FEDORA-2023-b2e129bce0 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b2e129bce0
Comment 6 Fedora Update System 2023-09-04 06:41:47 UTC 
FEDORA-2023-e5bfd01551 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-e5bfd01551
Comment 7 Fedora Update System 2023-09-05 02:18:58 UTC 
FEDORA-2023-e5bfd01551 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-e5bfd01551`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-e5bfd01551

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2023-09-05 02:22:11 UTC 
FEDORA-2023-b2e129bce0 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b2e129bce0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b2e129bce0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2023-09-06 13:48:54 UTC 
FEDORA-2023-48a12fa02e has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2023-48a12fa02e
Comment 10 Fedora Update System 2023-09-06 13:49:02 UTC 
FEDORA-2023-b5fb7bba8c has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5fb7bba8c
Comment 11 Fedora Update System 2023-09-07 02:24:11 UTC 
FEDORA-2023-b5fb7bba8c has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5fb7bba8c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5fb7bba8c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 12 Fedora Update System 2023-09-08 13:04:37 UTC 
FEDORA-2023-48a12fa02e has been pushed to the Fedora 40 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 13 Fedora Update System 2023-09-13 01:35:14 UTC 
FEDORA-2023-e5bfd01551 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 14 Fedora Update System 2023-09-13 02:35:55 UTC 
FEDORA-2023-b2e129bce0 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 15 Fedora Update System 2023-09-17 02:03:34 UTC 
FEDORA-2023-b5fb7bba8c has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-b5fb7bba8c`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-b5fb7bba8c

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 16 Fedora Update System 2023-09-18 00:16:14 UTC 
FEDORA-2023-b5fb7bba8c has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.