Description of problem: After enabling ulogd service and reboot, ulogd daemon fails with SELinux audit message (see below). Manually start the service after system startup works, though. The SELinux message seems to indicate that ulogd didn't have enough permission to do "module_request" on kernel module "net-pf-16-proto-12", which is an alias for nfnetlink. However, after startup, running "systemctl start ulogd.service" or "service ulogd start" works. The following message is the sealert output. LC_ALL=C LANG=C sealert -l 92df2809-cee2-412b-a8f2-ca92d3cdf699 SELinux is preventing /usr/sbin/ulogd from module_request access on the system . ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. You can read 'None' man page for more details. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that ulogd should be allowed module_request access on the system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ulogd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:ulogd_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects [ system ] Source ulogd Source Path /usr/sbin/ulogd Port <Unknown> Host (redacted) Source RPM Packages ulogd-2.0.2-2.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-161.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (redacted) Platform Linux (redacted) 3.14.3-200.fc20.x86_64 #1 SMP Tue May 6 19:00:18 UTC 2014 x86_64 x86_64 Alert Count 5 First Seen 2014-05-10 08:25:07 CST Last Seen 2014-05-11 12:57:27 CST Local ID 92df2809-cee2-412b-a8f2-ca92d3cdf699 Raw Audit Messages type=AVC msg=audit(1399784247.749:43): avc: denied { module_request } for pid=1426 comm="ulogd" kmod="net-pf-16-proto-12" scontext=system_u:system_r:ulogd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system type=SYSCALL msg=audit(1399784247.749:43): arch=x86_64 syscall=socket success=no exit=EPROTONOSUPPORT a0=10 a1=3 a2=c a3=1 items=0 ppid=1425 pid=1426 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ulogd exe=/usr/sbin/ulogd subj=system_u:system_r:ulogd_t:s0 key=(null) Hash: ulogd,ulogd_t,kernel_t,system,module_request Version-Release number of selected component (if applicable): selinux-policy-3.12.1-161.fc20.noarch selinux-policy-targeted-3.12.1-161.fc20.noarch How reproducible: Always on system boot, never after startup. Steps to Reproduce: 1. Install, configure & enable ulogd. 2. Reboot. 3. Fail. Actual results: ulogd fails to start on boot and generates a SELinux error message. Expected results: ulogd should have run at startup. Additional info:
commit 62f070ecf36aa031170d15de0baa79a73e7cb356 Author: Miroslav Grepl <mgrepl> Date: Mon May 12 10:33:30 2014 +0200 Allow ulogd to request the kernel to load a module
Fixed in 3.12.1-163.fc20. Thanks!
selinux-policy-3.12.1-166.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-166.fc20
Package selinux-policy-3.12.1-166.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-166.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-6584/selinux-policy-3.12.1-166.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-166.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.