Description of problem: With kernel-4.5.0-0.rc7.git0.2.fc24.x86_64 it seems that the systemd systemd-modules-load.service module can't load kernel modules in enforcing mode. You can reproduce this by listing a module in a file in /usr/lib/modules-load.d/something.conf and running systemctl restart systemd-modules-load.service semanage dontaudit off is needed to get the denied message. SELinux is preventing systemd-modules from using the 'sys_module' capabilities. ***** Plugin sys_module (99.5 confidence) suggests ************************ If you do not believe that systemd-modules should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that systemd-modules should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep systemd-modules /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects Unknown [ capability ] Source systemd-modules Source Path systemd-modules Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-179.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.5.0-0.rc7.git0.2.fc24.x86_64 #1 SMP Tue Mar 8 02:20:08 UTC 2016 x86_64 x86_64 Alert Count 7 First Seen 2016-03-30 23:18:16 BST Last Seen 2016-03-30 23:18:16 BST Local ID ff20adf3-670d-4761-bac0-de1777f213f0 Raw Audit Messages type=AVC msg=audit(1459376296.242:423): avc: denied { sys_module } for pid=3655 comm="systemd-modules" capability=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0 Hash: systemd-modules,init_t,init_t,capability,sys_module Version-Release number of selected component: selinux-policy-3.13.1-179.fc24.noarch Additional info: reporter: libreport-2.6.4 hashmarkername: setroubleshoot kernel: 4.5.0-0.rc7.git0.2.fc24.x86_64 type: libreport
ping?
Actually it might be fixed - I haven't been able to reproduce the problem with selinux-policy-3.13.1-185.fc24.noarch .
Hello. I'm getting similar problem in Fedora 24 but I can't find any detailed SELinux logs. I'm running Fedora 24 in VirtualBox and I'm using VirtualBox guest modules built via akmods from rpmfusion[1]. I think the fact that I'm using external modules is irrelevant here as permissions seems to be OK. [root@localhost ~]# cat /etc/fedora-release Fedora release 24 (Twenty Four) [root@localhost ~]# uname -r 4.5.5-300.fc24.x86_64 [root@localhost ~]# rpm -q systemd systemd-229-7.fc24.x86_64 [root@localhost ~]# systemctl restart systemd-modules-load Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details. [root@localhost ~]# After the systemctl command, the following appears in journal: May 28 18:44:23 localhost.localdomain systemd[1]: Stopped Load Kernel Modules. May 28 18:44:23 localhost.localdomain systemd[1]: Starting Load Kernel Modules... May 28 18:44:23 localhost.localdomain systemd-modules-load[2691]: Failed to insert 'vboxsf': Operation not permitted May 28 18:44:23 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE May 28 18:44:23 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. May 28 18:44:23 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. May 28 18:44:23 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' May 28 18:44:23 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. It only fails if SELinux is enabled: [root@localhost ~]# setenforce 0 [root@localhost ~]# systemctl restart systemd-modules-load [root@localhost ~]# May 28 18:47:51 localhost.localdomain systemd[1]: Stopped Load Kernel Modules. May 28 18:47:51 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' May 28 18:47:51 localhost.localdomain systemd[1]: Stopping Load Kernel Modules... May 28 18:47:51 localhost.localdomain systemd[1]: Starting Load Kernel Modules... May 28 18:47:51 localhost.localdomain systemd-modules-load[2836]: Inserted module 'vboxsf' May 28 18:47:51 localhost.localdomain systemd[1]: Started Load Kernel Modules. May 28 18:47:51 localhost.localdomain kernel: vboxsf: Successfully loaded version 5.0.16_RPMFusion (interface 0x00010004) May 28 18:47:51 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Running systemd-modules-load directly by root also works: [root@localhost ~]# rmmod vboxsf [root@localhost ~]# setenforce 1 [root@localhost ~]# /usr/lib/systemd/systemd-modules-load Inserted module 'vboxsf' [root@localhost ~]# Here are some of the relevant VirtualBox files: [root@localhost user]# ls -lRZ /lib/modules/4.5.5-300.fc24.x86_64/extra/ /lib/modules/4.5.5-300.fc24.x86_64/extra/: total 4 drwxr-xr-x. 2 root root system_u:object_r:modules_object_t:s0 4096 May 28 16:03 VirtualBox /lib/modules/4.5.5-300.fc24.x86_64/extra/VirtualBox: total 1104 -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 545528 May 28 16:03 vboxdrv.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 405144 May 28 16:03 vboxguest.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 15264 May 28 16:03 vboxnetadp.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 37320 May 28 16:03 vboxnetflt.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 35280 May 28 16:03 vboxpci.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 71008 May 28 16:03 vboxsf.ko -rw-r--r--. 1 root root system_u:object_r:modules_object_t:s0 6784 May 28 16:03 vboxvideo.ko [root@localhost ~]# restorecon -Rv /usr/lib/modules-load.d/ [root@localhost ~]# ls -lZ /usr/lib/modules-load.d/ total 4 -rw-r--r--. 1 root root system_u:object_r:lib_t:s0 27 Oct 24 2015 VirtualBox-guest.conf [root@localhost ~]# cat /usr/lib/modules-load.d/VirtualBox-guest.conf vboxguest vboxsf vboxvideo [root@localhost ~]# The systemd-modules-load fails on boot on all these modules. However, after startup, something else probably loads the other two so it only complains about the last one. Did I miss some crucial SELinux report? Where should I look for it? [1] akmod-VirtualBox-5.0.16-2.fc23.x86_64 kmod-VirtualBox-4.5.5-300.fc24.x86_64-5.0.16-2.fc24.x86_64 VirtualBox-guest-5.0.16-3.fc23.x86_64 VirtualBox-kmodsrc-5.0.16-3.fc23.x86_64
Could you reproduce it, and then add output of: # ausearch -m AVC -ts recent Thank you.
Hello. This is executed immediately after boot (and login) on Fedora 24. Unfortunately, it seems the relevant SELinux AVC is missing. Sorry for the redundancy, I tried to cover as much as possible. [root@localhost user]# systemctl status systemd-modules-load ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-01 19:24:15 CEST; 48s ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 427 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE) Main PID: 427 (code=exited, status=1/FAILURE) Jun 01 19:24:15 localhost.localdomain systemd-modules-load[427]: Failed to insert 'vboxguest': Operation not permitted Jun 01 19:24:15 localhost.localdomain systemd-modules-load[427]: Failed to insert 'vboxsf': Operation not permitted Jun 01 19:24:15 localhost.localdomain systemd-modules-load[427]: Failed to insert 'vboxvideo': Operation not permitted Jun 01 19:24:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 01 19:24:15 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. Jun 01 19:24:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 01 19:24:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. [root@localhost user]# ausearch -m AVC -ts recent ---- time->Wed Jun 1 19:24:16 2016 type=AVC msg=audit(1464801856.962:83): avc: denied { getattr } for pid=624 comm="gssproxy" name="/" dev="sda1" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 [root@localhost user]# systemctl restart systemd-modules-load Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details. [root@localhost user]# systemctl status systemd-modules-load ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-01 19:25:33 CEST; 3s ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 1868 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE) Main PID: 1868 (code=exited, status=1/FAILURE) Jun 01 19:25:33 localhost.localdomain systemd[1]: Starting Load Kernel Modules... Jun 01 19:25:33 localhost.localdomain systemd-modules-load[1868]: Failed to insert 'vboxsf': Operation not permitted Jun 01 19:25:33 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 01 19:25:33 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. Jun 01 19:25:33 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 01 19:25:33 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. [root@localhost user]# ausearch -m AVC -ts recent ---- time->Wed Jun 1 19:24:16 2016 type=AVC msg=audit(1464801856.962:83): avc: denied { getattr } for pid=624 comm="gssproxy" name="/" dev="sda1" ino=2 scontext=system_u:system_r:gssproxy_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=0 [root@localhost user]# setenforce 0 [root@localhost user]# systemctl restart systemd-modules-load [root@localhost user]# systemctl status systemd-modules-load ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: active (exited) since Wed 2016-06-01 19:25:56 CEST; 2s ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 1941 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=0/SUCCESS) Main PID: 1941 (code=exited, status=0/SUCCESS) Jun 01 19:25:56 localhost.localdomain systemd[1]: Starting Load Kernel Modules... Jun 01 19:25:56 localhost.localdomain systemd-modules-load[1941]: Inserted module 'vboxsf' Jun 01 19:25:56 localhost.localdomain systemd[1]: Started Load Kernel Modules. [root@localhost user]# I've just updated the Fedora, rebooted and did the same. The output changed a bit but the result is same. [root@localhost ~]# systemctl restart systemd-modules-load Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details. [root@localhost ~]# systemctl status systemd-modules-load ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-06-01 19:35:39 CEST; 1s ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 1791 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE) Main PID: 1791 (code=exited, status=1/FAILURE) Jun 01 19:35:39 localhost.localdomain systemd[1]: Starting Load Kernel Modules... Jun 01 19:35:39 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 01 19:35:39 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. Jun 01 19:35:39 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 01 19:35:39 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. [root@localhost ~]# ausearch -m AVC -ts recent <no matches> [root@localhost ~]# systemctl restart systemd-modules-load Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details. [root@localhost ~]# journalctl -f -- Logs begin at Fri 2016-05-13 22:55:13 CEST. -- Jun 01 19:36:16 localhost.localdomain polkitd[683]: Registered Authentication Agent for unix-process:1851:7601 (system bus name :1.76 [/usr/bin/pkttyagent --notify-fd 4 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Jun 01 19:36:16 localhost.localdomain systemd[1]: Stopped Load Kernel Modules. Jun 01 19:36:16 localhost.localdomain systemd[1]: Starting Load Kernel Modules... Jun 01 19:36:16 localhost.localdomain systemd-modules-load[1859]: Failed to insert 'vboxsf': Operation not permitted Jun 01 19:36:16 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 01 19:36:16 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. Jun 01 19:36:16 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 01 19:36:16 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jun 01 19:36:16 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. Jun 01 19:36:16 localhost.localdomain polkitd[683]: Unregistered Authentication Agent for unix-process:1851:7601 (system bus name :1.76, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_vss.device: Job sys-devices-virtual-misc-vmbus\x21hv_vss.device/start timed out. Jun 01 19:36:32 localhost.localdomain systemd[1]: Timed out waiting for device sys-devices-virtual-misc-vmbus\x21hv_vss.device. Jun 01 19:36:32 localhost.localdomain systemd[1]: Dependency failed for Hyper-V VSS daemon. Jun 01 19:36:32 localhost.localdomain systemd[1]: hypervvssd.service: Job hypervvssd.service/start failed with result 'dependency'. Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_vss.device: Job sys-devices-virtual-misc-vmbus\x21hv_vss.device/start failed with result 'timeout'. Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_fcopy.device: Job sys-devices-virtual-misc-vmbus\x21hv_fcopy.device/start timed out. Jun 01 19:36:32 localhost.localdomain systemd[1]: Timed out waiting for device sys-devices-virtual-misc-vmbus\x21hv_fcopy.device. Jun 01 19:36:32 localhost.localdomain systemd[1]: Dependency failed for Hyper-V FCOPY daemon. Jun 01 19:36:32 localhost.localdomain systemd[1]: hypervfcopyd.service: Job hypervfcopyd.service/start failed with result 'dependency'. Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_fcopy.device: Job sys-devices-virtual-misc-vmbus\x21hv_fcopy.device/start failed with result 'timeout'. Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_kvp.device: Job sys-devices-virtual-misc-vmbus\x21hv_kvp.device/start timed out. Jun 01 19:36:32 localhost.localdomain systemd[1]: Timed out waiting for device sys-devices-virtual-misc-vmbus\x21hv_kvp.device. Jun 01 19:36:32 localhost.localdomain systemd[1]: Dependency failed for Hyper-V KVP daemon. Jun 01 19:36:32 localhost.localdomain systemd[1]: hypervkvpd.service: Job hypervkvpd.service/start failed with result 'dependency'. Jun 01 19:36:32 localhost.localdomain systemd[1]: sys-devices-virtual-misc-vmbus\x21hv_kvp.device: Job sys-devices-virtual-misc-vmbus\x21hv_kvp.device/start failed with result 'timeout'. Jun 01 19:36:32 localhost.localdomain systemd[1]: Reached target Multi-User System. Jun 01 19:36:32 localhost.localdomain systemd[1]: Reached target Graphical Interface. Jun 01 19:36:32 localhost.localdomain systemd[1]: Starting Update UTMP about System Runlevel Changes... Jun 01 19:36:32 localhost.localdomain audit[1879]: SYSTEM_RUNLEVEL pid=1879 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='old-level=N new-level=5 comm="systemd-update-utmp" exe="/usr/lib/systemd/systemd-update-utmp" hostname=? addr=? terminal=? res=success' Jun 01 19:36:32 localhost.localdomain systemd[1]: Started Update UTMP about System Runlevel Changes. Jun 01 19:36:32 localhost.localdomain systemd[1]: Startup finished in 576ms (kernel) + 1.210s (initrd) + 1min 30.438s (userspace) = 1min 32.225s. Jun 01 19:36:32 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 01 19:36:32 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp-runlevel comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
From what I can tell, this problem still exists. It seems like a big issue to survive the official Fedora 24 release. Is there anything else required to fix this?
Indeed, bug is still present in Fedora 24. Have to modprobe those modules manually.
Confirmed on Fedora 24. # systemctl status systemd-modules-load.service ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Thu 2016-06-30 14:08:07 CEST; 14min ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 712 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE) Main PID: 712 (code=exited, status=1/FAILURE) Jun 30 14:08:07 fedora-desktop.mydomain.com systemd[1]: Starting Load Kernel Modules... Jun 30 14:08:07 fedora-desktop.mydomain.com systemd-modules-load[712]: Failed to insert 'i2c_dev': Operation not permitted Jun 30 14:08:07 fedora-desktop.mydomain.com systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 30 14:08:07 fedora-desktop.mydomain.com systemd[1]: Failed to start Load Kernel Modules. Jun 30 14:08:07 fedora-desktop.mydomain.com systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 30 14:08:07 fedora-desktop.mydomain.com systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'.
Any update on this? I've noticed that not all modules fail to load. I have the following: $ cat /usr/lib/modules-load.d/* ecryptfs vboxdrv vboxnetflt vboxnetadp vboxpci While systemd-modules-load.service fails to load vbox*.ko modules if SELinux is in enforcing mode, as reported previously, ecryptfs.ko is always loaded successfully.
Hi, Could you please install this scratch build: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy/build/375537/ and test the scenario? Collected AVCs please attach here. Thank you for help!
Created attachment 1177742 [details] AVCs from journalctl I've installed the x86_64 version of selinux-policy-3.13.1-191.fc24.8.noarch.rpm selinux-policy-targeted-3.13.1-191.fc24.8.noarch.rpm substituting selinux-policy-3.13.1-191.fc24.2.noarch.rpm selinux-policy-targeted-3.13.1-191.fc24.2.noarch.rpm in a virtual machine that previously failed to load the vboxsf module. Now, this module is finally loaded, but there are some AVC 'denied' messages first (see the log attached).
(In reply to Lukas Vrabec from comment #10) > Hi, > Could you please install this scratch build: > https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy/build/375537/ > > and test the scenario? Collected AVCs please attach here. > > Thank you for help! I was having the "operation not permitted" issue with Virtualbox modules as well, and I can confirm the 3.13.1-191.fc.24.8 selinux policy files fixed the problem. Thks!
I tried the packages suggested in comment #10, and they seem to fix this problem.
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-0da627fe73
tried it on my side: $ rpm -qa | grep selinux-policy selinux-policy-targeted-3.13.1-191.5.fc24.noarch selinux-policy-3.13.1-191.5.fc24.noarch when invoking module loading service: $ sudo systemctl start systemd-modules-load Failed to start systemd-modules-load.service: Access denied See system logs and 'systemctl status systemd-modules-load.service' for details. this generate theses messages in /var/log/messages: Jul 12 13:25:57 axiom systemd: Starting Load Kernel Modules... Jul 12 13:25:57 axiom audit: AVC avc: denied { getattr } for pid=2989 comm="systemd-modules" path="/etc/modprobe.d/kvm.conf" dev="sda4" ino=8390927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 Jul 12 13:25:57 axiom audit: AVC avc: denied { getattr } for pid=2989 comm="systemd-modules" path="/etc/modprobe.d/lockd.conf" dev="sda4" ino=8389627 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 Jul 12 13:25:57 axiom audit: AVC avc: denied { read } for pid=2989 comm="systemd-modules" name="kvm.conf" dev="sda4" ino=8390927 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 Jul 12 13:25:57 axiom audit: AVC avc: denied { read } for pid=2989 comm="systemd-modules" name="lockd.conf" dev="sda4" ino=8389627 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 Jul 12 13:25:57 axiom systemd-modules-load: Failed to insert 'vboxdrv': Operation not permitted Jul 12 13:25:57 axiom systemd-modules-load: Failed to insert 'vboxnetflt': Operation not permitted Jul 12 13:25:57 axiom systemd-modules-load: Failed to insert 'vboxnetadp': Operation not permitted Jul 12 13:25:57 axiom systemd-modules-load: Failed to insert 'vboxpci': Operation not permitted Jul 12 13:25:57 axiom systemd: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jul 12 13:25:57 axiom audit: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jul 12 13:25:57 axiom systemd: Failed to start Load Kernel Modules. Jul 12 13:25:57 axiom systemd: systemd-modules-load.service: Unit entered failed state. Jul 12 13:25:57 axiom systemd: systemd-modules-load.service: Failed with result 'exit-code'. all probed modules are signed and can be loaded manually: # lsmod | grep vboxdrv # modprobe vboxdrv # lsmod | grep vboxdrv vboxdrv 434176 0
Since this seems only happening to VirtualBox modules, maybe I should mention it happens to me with 'akmod' built virtualbox modules.
With selinux-policy-3.13.1-191.5.fc24.noarch and selinux-policy-targeted-3.13.1-191.5.fc24.noarch I get the same selinux denials as comment 15 and also (in permissive mode) type=AVC msg=audit(1468484289.837:329): avc: denied { open } for pid=4416 comm="systemd-modules" path="/etc/modprobe.d/kvm.conf" dev="dm-1" ino=3148247 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=1
selinux-policy-3.13.1-191.5.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
As already mentioned, selinux-policy-3.13.1-191.5.fc24 is not a complete fix for the problem.
Indeed, even with the latest selinux-policy package installed: ================================================================ # rpm -q selinux-policy selinux-policy-3.13.1-191.5.fc24.noarch # cat /etc/modules-load.d/local.conf lz4 # systemctl restart systemd-modules-load Job for systemd-modules-load.service failed because the control process exited with error code. See "systemctl status systemd-modules-load.service" and "journalctl -xe" for details. # ausearch -m AVC -ts recent <no matches> # systemctl status systemd-modules-load.service ● systemd-modules-load.service - Load Kernel Modules Loaded: loaded (/usr/lib/systemd/system/systemd-modules-load.service; static; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2016-07-20 22:53:14 PDT; 15s ago Docs: man:systemd-modules-load.service(8) man:modules-load.d(5) Process: 837 ExecStart=/usr/lib/systemd/systemd-modules-load (code=exited, status=1/FAILURE) Main PID: 837 (code=exited, status=1/FAILURE) Jul 20 22:53:14 fedora0systemd[1]: Starting Load Kernel Modules... Jul 20 22:53:14 fedora0 systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jul 20 22:53:14 fedora0 systemd[1]: Failed to start Load Kernel Modules. Jul 20 22:53:14 fedora0 systemd[1]: systemd-modules-load.service: Unit entered failed state. Jul 20 22:53:14 fedora0 systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. ================================================================ As I created a file in /etc/modules-load.d/ manually, I thought this was related to the security context of the configuration file: ================================================================ # ls -alZ /etc/modules-load.d total 12 drwxr-xr-x. 2 root root system_u:object_r:etc_t:s0 4096 Jul 20 22:47 . drwxr-xr-x. 84 root root system_u:object_r:etc_t:s0 4096 Jul 20 22:47 .. -rw-------. 1 root root unconfined_u:object_r:etc_t:s0 4 Jul 20 22:47 local.confodules-load.d/local.conf ================================================================ But even after "chcon -v --reference=/etc/modules-load.d /etc/modules-load.d/local.conf" the error persists and "ausearch" still doesn't find anything. Any hints?
I can confirm this bug affects me as well. F24, akmods-VirtualBox
I can confirm it is still broken in selinux-policy-3.13.1-191.5.fc24.noarch a well. It is also broken for the teamviewer background service as well
I can confirm this bug affects me too. Fedora 24
This bug affects me too. Fedora 24
This bug prevents from loading Virtualbox akmod module, I had to temporary disable SELINUX to load the module, then reenable it again. This happens in every reboot
Me too. VirtualBox was working fine on F23 last night. I upgraded to F24 and it is broken as shown above.
I've encountered a similar issue. It's not just VirtualBox. systemd-modules seems to be prohibited from accessing any files in /etc/modprobe.d. Eg, Additional Information: Source Context system_u:system_r:systemd_modules_load_t:s0 Target Context system_u:object_r:modules_conf_t:s0 Target Objects /etc/modprobe.d/blacklist-visor.conf [ file ] Source systemd-modules Source Path systemd-modules Port <Unknown> Host XXX Source RPM Packages Target RPM Packages pilot-link-libs-0.12.5-26.fc24.x86_64 Policy RPM selinux-policy-3.13.1-191.5.fc24.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name XXX Platform Linux XXX 4.6.4-301.fc24.x86_64 #1 SMP Tue Jul 12 11:50:00 UTC 2016 x86_64 x86_64 Alert Count 3 First Seen 2016-07-30 13:23:44 EDT Last Seen 2016-07-30 13:24:15 EDT Local ID 8b1e1537-e5f0-42c2-b2c2-ee17afa967a5 Raw Audit Messages type=AVC msg=audit(1469899455.259:263): avc: denied { read } for pid=4334 comm="systemd-modules" name="blacklist-visor.conf" dev="dm-1" ino=6161384 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_conf_t:s0 tclass=file permissive=0 Hash: systemd-modules,systemd_modules_load_t,modules_conf_t,file,read
Created attachment 1186194 [details] Messages from /var/log/audit/audit.log containing "modules" I have tested selinux-policy-3.13.1-191.9.fc24 from koji. There still are errors. I called: # semanage dontaudit off # systemctl restart systemd-modules-load.service Then I have extracted the messages from /var/log/audit/audit.log containing "modules" - see the attachment. I also found the following messages in the journal: systemd-modules-load[3115]: Failed to insert 'vboxdrv': Operation not permitted systemd-modules-load[3115]: Failed to insert 'vboxnetflt': Operation not permitted systemd-modules-load[3115]: Failed to insert 'vboxnetadp': Operation not permitted systemd-modules-load[3115]: Failed to insert 'vboxpci': Operation not permitted audit[3115]: AVC avc: denied { sys_module } for pid=3115 comm="systemd-modules" capability=16 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=capability permissive=0 systemd-modules-load[3115]: Failed to insert 'snd_pcm_oss': Operation not permitted systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE systemd[1]: Failed to start Load Kernel Modules. audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Same problem here. I have to load the virtualbox modules manually on each boot. $ su - # cat /usr/lib/modules-load.d/VirtualBox.conf | xargs modprobe -a Or disable SELinux temporally. # setenforce 0 # systemctl restart systemd-modules-load.service # setenforce 1 If you can skip this problem with the above methods, please try the following workaround to load the virtualbox modules automatically. First, create the file alt-vbox-modules-load.service and put it in the directory /etc/systemd/system # --- begin --- [Unit] Description=Alternative Loading VirtaulBox Modules Wants=akmods.service After=akmods.service [Service] Environment=VBoxModuleList=/usr/lib/modules-load.d/VirtualBox.conf Type=oneshot ExecStart=/bin/bash -c "cat $VBoxModuleList | xargs modprobe -a" ExecStop=/bin/bash -c "cat $VBoxModuleList | xargs modprobe -ar" RemainAfterExit=yes [Install] WantedBy=multi-user.target # --- end --- Then, start the service to load the virtualbox modules # systemctl start alt-vbox-modules-load Finally, enable the service so it will be started on each boot # systemctl enable alt-vbox-modules-load If you are not using akmods or Virtualbox in rpmfusion, you may need to adjust the service unit file accordingly.
Hello, it seems like this only happens with VirtualBox installed from rpmfusion. In the policy-f24-base.patch file looks for /usr/lib/virtualbox, but in case of the one installed from rpmfusion it's located at /usr/lib64/virtualbox.
I can confirm this affects me as well, using VirtualBox packages from rpmfusion.
I do software testing inside VirtualBox, work-related and otherwise, but I've been unable to use VirtualBox for the last 3 and a half weeks, since upgrading from Fedora 22 to 24. This is frustrating beyond what I'm going to put into words :-(
Hi Roberto, remember you can still load the VirtualBox modules (vboxdrv, vboxnetadp, vboxnetflt...) manually with modprobe.
Thanks, Alex -- I seem not to have read the above carefully enough :-)
As far as I can tell this bug also affects (some?) Fedora-shipped kernel modules. In my case, I'm trying to load uinput at boot, but: Aug 11 21:05:47 kraid.usersys.redhat.com systemd-modules-load[12580]: Failed to insert 'uinput': Operation not permitted Aug 11 21:05:47 kraid.usersys.redhat.com systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Aug 11 21:05:47 kraid.usersys.redhat.com systemd[1]: Failed to start Load Kernel Modules. Running "setenforce 0" (boooo) makes it work fine. As a terrible gnarly workaround, you can change the ExecStart line in the .service file so it runs the command via `/bin/sh -c`, thus (if I understand correctly) skirting the SELinux policy for the systemd-modules-load binary. cp /lib/systemd/system/systemd-modules-load.service \ /etc/systemd/system/systemd-modules-load.service sed -i 's,^ExecStart=\(/usr/.*\),ExecStart=/bin/sh -c \1,' \ /etc/systemd/system/systemd-modules-load.service
selinux-policy-3.13.1-191.11.fc24 doesn't seem to be in updates-testing yet - 3.13.1-191.10.fc24 is, but cannot be installed w/o "--best --allowerasing".
selinux-policy-3.13.1-191.11.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-c4630499f5
The new version looks better, and although the module (here: the lz4 module for zram) is loaded, it appears to be too late for the whole boot process: ============================================================== fedora0# ls -lZ /etc/modules-load.d/local.conf; cat $_ -rw-r--r--. 1 root root system_u:object_r:etc_t:s0 4 Jul 20 22:47 /etc/modules-load.d/local.conf lz4 fedora0# rpm -q selinux-policy selinux-policy-targeted selinux-policy-3.13.1-191.10.fc24.noarch selinux-policy-targeted-3.13.1-191.10.fc24.noarch systemd-modules-load.service => Status: Failed fedora0# journalctl -b -p err kernel: zswap: compressor lz4 not available, using default lzo systemd[1]: Failed to start Load Kernel Modules. systemd-modules-load[148]: Failed to find module 'lz4' systemd-modules-load[271]: Failed to insert 'lz4': Operation not permitted systemd[1]: Failed to start Load Kernel Modules. ============================================================== fedora0# rpm -q selinux-policy selinux-policy-targeted selinux-policy-3.13.1-191.11.fc24.noarch selinux-policy-targeted-3.13.1-191.11.fc24.noarch systemd-modules-load.service => Status: OK fedora0# journalctl -b -p err kernel: zswap: compressor lz4 not available, using default lzo systemd[1]: Failed to start Load Kernel Modules. systemd-modules-load[145]: Failed to find module 'lz4' systemd-logind[387]: Failed to start user slice user-0.slice, ignoring: Access denied (org.freedesktop.DBus.Error.AccessDenied) systemd-logind[387]: Failed to start session scope session-1.scope: Access denied sshd[689]: pam_systemd(sshd:session): Failed to create session: Access denied systemd-logind[387]: Failed to stop user slice: Access denied ============================================================== While this is a headless system, the new "Access denied" errors for systemd-logind look worrisome, and FEDORA-2016-c4630499f5 also lists (new) problems with GDM.
Also affected. VirtualBox modules. The following cured: [root@workstation ~]# dnf --enablerepo=updates-testing --allowerasing --best install selinux-policy selinux-policy-targeted Fedora 24 - x86_64 - Test Updates 4.5 MB/s | 3.1 MB 00:00 Last metadata expiration check: 0:00:01 ago on Fri Aug 19 21:25:25 2016. Package selinux-policy-3.13.1-191.10.fc24.noarch is already installed, skipping. Package selinux-policy-targeted-3.13.1-191.10.fc24.noarch is already installed, skipping. Dependencies resolved. ============================================================================================================================================================================================== Package Arch Version Repository Size ============================================================================================================================================================================================== Upgrading: selinux-policy noarch 3.13.1-191.12.fc24 updates-testing 469 k selinux-policy-targeted noarch 3.13.1-191.12.fc24 updates-testing 6.5 M Transaction Summary ============================================================================================================================================================================================== Upgrade 2 Packages Total download size: 7.0 M Is this ok [y/N]: y Downloading Packages: (1/2): selinux-policy-targeted-3.13.1-191.12.fc24.noarch.rpm 6.1 MB/s | 6.5 MB 00:01 (2/2): selinux-policy-3.13.1-191.12.fc24.noarch.rpm 400 kB/s | 469 kB 00:01 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 2.8 MB/s | 7.0 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Upgrading : selinux-policy-3.13.1-191.12.fc24.noarch 1/4 Upgrading : selinux-policy-targeted-3.13.1-191.12.fc24.noarch 2/4 Cleanup : selinux-policy-targeted-3.13.1-191.10.fc24.noarch 3/4 Cleanup : selinux-policy-3.13.1-191.10.fc24.noarch 4/4 Verifying : selinux-policy-3.13.1-191.12.fc24.noarch 1/4 Verifying : selinux-policy-targeted-3.13.1-191.12.fc24.noarch 2/4 Verifying : selinux-policy-3.13.1-191.10.fc24.noarch 3/4 Verifying : selinux-policy-targeted-3.13.1-191.10.fc24.noarch 4/4 Upgraded: selinux-policy.noarch 3.13.1-191.12.fc24 selinux-policy-targeted.noarch 3.13.1-191.12.fc24 Complete! [root@workstation ~]# systemctl restart systemd-modules-load.service
Experienced the same for loop module, installing: Name : selinux-policy Arch : noarch Epoch : 0 Version : 3.13.1 Release : 191.12.fc24 Size : 18 k Repo : @System From repo : updates-testing fixed the problem
I am using selinux-policy-3.13.1-191.12.fc24.noarch, and now both the Xen and VirtualBox modules load on boot. It appears that this is fixed on my computer.
I am experiencing the same issue with selinux-policy-3.13.1-191.13.fc24.noarch, where a kernel module I am trying to load works fine running modprobe as root but causes systemd-modules-load.service to fail. Unlike the other posters the module I am loading is not related to Virtualbox, but I believe it is the same issue. After setting "semanage dontaudit off", I found avc denial messages like this: type=AVC msg=audit(1472177378.620:782): avc: denied { sys_module } for pid=2786 comm="systemd-modules" capability=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=capability permissive=0 I used audit2allow to create the following policy which fixes this problem for me, and allows systemd-modules-load to do it's job without crashing on boot: module nvidiabl_modprobe 1.0; require { type init_t; class capability sys_module; } #============= init_t ============== allow init_t self:capability sys_module;
It fails for me with following Fedora shipped modules: systemd-modules-load[1113]: Failed to insert 'i2c_dev': Operation not permitted systemd-modules-load[1113]: Failed to insert 'nct6775': Operation not permitted Installed packages: selinux-policy-3.13.1-191.19.fc24.noarch systemd-229-16.fc24.x86_64 kernel-4.8.4-200.fc24.x86_64 kernel-modules-4.8.4-200.fc24.x86_64 with audit enabled I get: audit[1113]: AVC avc: denied { sys_module } for pid=1113 comm="systemd-modules" capability=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r and audit2allow apllied to it gives me #============= init_t ============== allow init_t self:capability sys_module; which is when compiled and loaded fixes issue with systemd-modules-load and selinux in enforced mode
Hi, Could you attach output of following command? $ sudo semanage fcontext -l | grep systemd_modules_load_exec_t systemd-modules-load should run as systemd_modules_load_t domain, not init_t. Thanks.
sudo semanage fcontext -l | grep systemd_modules_load_exec_t /usr/lib/systemd/systemd-modules-load regular file system_u:object_r:systemd_modules_load_exec_t:s0 PS: I have installed system from netinstall image in Minimal configuration if that may matter.
Here is my case: http://www.forums.fedoraforum.org/showpost.php?p=1778145&postcount=4 For the proper observation and handling, the message "Failed to Start Load Kernel Modules" at the very beginning of the Power ON or restart booting recording should be added to dmesg (for now it is not part of it)! Thank you, _nobody_
Hey, I'm getting this same bug on Fedora 25 Workstation when trying to load modules from /etc/modules-load.d etc. kernel-4.9.12-200.fc25.x86_64 kernel-modules-4.9.12-200.fc25.x86_64 systemd-231-14.fc25.x86_64 selinux-policy-3.13.1-225.11.fc25.noarch ---- time->Wed Mar 1 01:37:10 2017 type=SERVICE_START msg=audit(1488350230.389:255): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' ---- time->Wed Mar 1 01:37:10 2017 type=AVC msg=audit(1488350230.387:254): avc: denied { module_load } for pid=2677 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=system permissive=0 semanage fcontext -l | grep systemd_modules_load_exec_t /usr/lib/systemd/systemd-modules-load regular file system_u:object_r:systemd_modules_load_exec_t:s0 systemctl start systemd-modules-load.service ; ausearch -ts recent | audit2allow -m my_systemd_modules_load module my_systemd_modules_load 1.0; require { type systemd_modules_load_t; class system module_load; } #============= systemd_modules_load_t ============== allow systemd_modules_load_t self:system module_load; audit2allow fixes it so the modules load ok
This is still a problem on Fedora 25 workstation. Perhaps I should mention that I used the netinstall image. Problem: I am unable to load the zram module via systemd-modules-load at boot time. System information: Kernel: 4.10.6-200.fc25.x86_64 Selinux version: 3.13.1 Selinux release: 225.11.fc25 sestatus output (this should be the default): SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Max kernel policy version: 30 The failure can only be found via journald, it is not in /var/log/audit/audit.log (this must be a bug right?) Error message: AVC avc: denied { module_load } for pid=731 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:systemd_modules_load_t:s0 tclass=system permissive=0 SYSCALL arch=c000003e syscall=175 success=no exit=-13 a0=5631166b9d00 a1=b07b a2=7f0e57662995 a3=0 items=0 ppid=1 pid=731 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-modules" exe="/usr/lib/systemd/systemd-modules-load" subj=subj=system_u:system_r:systemd_modules_load_t:s0 key=(null) systemd-modules-load[731]: Failed to insert 'zram': Permission denied audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-journald comm="systemd" exe="/usr/lib/systemd hostname=? addr=? terminal=? res=success' Workaround for those who run into this problem: 1. Restart systemd-modules-load.service so it actually generates a violation entry in /var/log/audit/audit.log 2. ausearch -m AVC -c systemd-modules | audit2allow -M allow-systemd-load-modules 3. semodule -i allow-systemd-load-modules
Persist in Fedora 26 Alpha # rpm -qa selinux\* selinux-policy-targeted-3.13.1-249.fc26.noarch selinux-policy-3.13.1-249.fc26.noarch
I have had success applying the workaround in comment #48 on Fedora 25. I suspect there is a broader policy which would fix the problem loading Xen, VirtualBox, and other modules.
For me, comment #48 does NOT fix the problem. I get nothing in /var/log/audit.log or with usearch -m AVC -c systemd-modules, so I am not sure it is blocked by SELinux.
(In reply to Jean-Christophe Baptiste from comment #51) > For me, comment #48 does NOT fix the problem. > > I get nothing in /var/log/audit.log or with usearch -m AVC -c > systemd-modules, so I am not sure it is blocked by SELinux. Did you follow step #1? It was not showing up in audit.log until I restarted it via "systemctl restart systemd-modules-load.service" after boot. I don't think the developers have any intention of fixing this bug, so we'll have to work around this ourselves.
selinux-policy-3.13.1-257.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Denied. Absolutely. The stable repository now have very unstable update. OK? http://www.forums.fedoraforum.org/showpost.php?p=1788748&postcount=10 NO GO! Thank you for understanding, Fedora Update System! ;-) _nobody_
Works for this F26 server installation: ========== fedora0# rpm -q selinux-policy selinux-policy-3.13.1-257.fc26.noarch fedora0# ls -lZ /etc/modules-load.d/local.conf -rw-------. 1 root root unconfined_u:object_r:etc_t:s0 4 Jun 12 23:35 /etc/modules-load.d/local.conf fedora0# cat /etc/modules-load.d/local.conf lz4 fedora0# journalctl -b | grep -i modules Jun 12 23:36:19 localhost.localdomain systemd-modules-load[431]: Inserted module 'lz4' Jun 12 23:36:19 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' Jun 12 23:36:19 localhost.localdomain systemd[1]: Started Load Kernel Modules. ========== Thanks!
Does not work for Fedora 26 Workstation installation! [root@localhost ~]# rpm -q selinux-policy selinux-policy-3.13.1-257.fc26.noarch [root@localhost ~]# ls -lZ /etc/modules-load.d/local.conf -rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 4 Jun 14 01:52 /etc/modules-load.d/local.conf [root@localhost ~]# cat /etc/modules-load.d/local.conf lz4 [root@localhost ~]# journalctl -b | grep -i modules Jun 15 12:43:04 localhost.localdomain systemd-modules-load[289]: Failed to find module 'vboxdrv' Jun 15 12:43:04 localhost.localdomain systemd-modules-load[289]: Failed to find module 'vboxnetflt' Jun 15 12:43:04 localhost.localdomain systemd-modules-load[289]: Failed to find module 'vboxnetadp' Jun 15 12:43:04 localhost.localdomain systemd-modules-load[289]: Failed to find module 'vboxpci' Jun 15 12:43:08 localhost.localdomain systemd-modules-load[676]: Failed to find module 'vboxdrv' Jun 15 12:43:08 localhost.localdomain systemd-modules-load[676]: Failed to find module 'vboxnetflt' Jun 15 12:43:08 localhost.localdomain systemd-modules-load[676]: Failed to find module 'vboxnetadp' Jun 15 12:43:08 localhost.localdomain systemd-modules-load[676]: Failed to find module 'vboxpci' Jun 15 12:43:08 localhost.localdomain systemd-modules-load[676]: Inserted module 'lz4' Jun 15 12:43:08 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Jun 15 12:43:08 localhost.localdomain systemd[1]: Failed to start Load Kernel Modules. Jun 15 12:43:08 localhost.localdomain systemd[1]: systemd-modules-load.service: Unit entered failed state. Jun 15 12:43:08 localhost.localdomain systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'. Jun 15 12:43:08 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-modules-load comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' Jun 15 12:43:11 localhost.localdomain systemd[1]: Starting Builds and install new kernel modules through DKMS... Jun 15 12:43:11 localhost.localdomain lm_sensors-modprobe-wrapper[921]: No sensors with loadable kernel modules configured. Jun 15 12:43:14 localhost.localdomain systemd[1]: Started Builds and install new kernel modules through DKMS. Jun 15 12:43:21 localhost.localdomain gnome-shell[1413]: JS WARNING: [resource:///org/gnome/gjs/modules/tweener/tweener.js 538]: reference to undefined property properties[istr].arrayIndex Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (==) ModulePath set to "/usr/lib64/xorg/modules" Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/drivers/vmware_drv.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/drivers/modesetting_drv.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/drivers/fbdev_drv.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/drivers/vesa_drv.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/libfbdevhw.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/libfb.so Jun 15 12:43:37 localhost.localdomain /usr/libexec/gdm-x-session[1763]: (II) Loading /usr/lib64/xorg/modules/input/libinput_drv.so Jun 15 12:43:38 localhost.localdomain dbus-daemon[1776]: [session uid=1000 pid=1776] Activating service name='com.redhat.imsettings' requested by ':1.4' (uid=1000 pid=1848 comm="/usr/libexec/imsettings-check --check-modules " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Jun 15 12:43:38 localhost.localdomain com.redhat.imsettings[1776]: [ 1497523418.083360]: IMSettings-Daemon[1852]: INFO: [MODULES=gsettings] Jun 15 12:43:40 localhost.localdomain gnome-shell[2008]: JS WARNING: [resource:///org/gnome/gjs/modules/tweener/tweener.js 538]: reference to undefined property properties[istr].arrayIndex wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 wrapper@resource:///org/gnome/gjs/modules/lang.js:178:22 Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (==) ModulePath set to "/usr/lib64/xorg/modules" Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/extensions/libglx.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/drivers/vmware_drv.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/drivers/modesetting_drv.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/drivers/fbdev_drv.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/drivers/vesa_drv.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/libfbdevhw.so Jun 15 14:41:09 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/libfb.so Jun 15 14:41:10 localhost.localdomain /usr/libexec/gdm-x-session[3487]: (II) Loading /usr/lib64/xorg/modules/input/libinput_drv.so Jun 15 14:41:10 localhost.localdomain dbus-daemon[3518]: [session uid=0 pid=3518] Activating service name='com.redhat.imsettings' requested by ':1.4' (uid=0 pid=3590 comm="/usr/libexec/imsettings-check --check-modules " label="unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023") Jun 15 14:41:10 localhost.localdomain com.redhat.imsettings[3518]: [ 1497530470.439074]: IMSettings-Daemon[3594]: INFO: [MODULES=gsettings] Jun 15 14:41:12 localhost.localdomain gnome-shell[3742]: JS WARNING: [resource:///org/gnome/gjs/modules/tweener/tweener.js 538]: reference to undefined property properties[istr].arrayIndex [root@localhost ~]# _nobody_
The service will of course fail when it's asked to load modules that do not exist (see the "Failed to find module..." messages above"), but it seems to load the lz4 module just fine, no? Also, the Gnome messages are unrelated, please open another bug if there's a problem with Gnome.
Christian, Finally, you, Fedora developers, did something useful! ;-) After many months of desperation. You need to improve the system response (to be at least 10x quicker/faster). The Fedora system response does NOT comply with Real Time customers' needs. Very slow deeds! http://www.forums.fedoraforum.org/showpost.php?p=1789030&postcount=5 _nobody_