1427296 – selinux: modprobe command fails after copying kernel

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1427296 - selinux: modprobe command fails after copying kernel

Summary: selinux: modprobe command fails after copying kernel

Keywords:
Status:	CLOSED DUPLICATE of bug 1414130
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-02-27 20:07 UTC by David Arcari
Modified:	2017-03-30 10:58 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1437012 (view as bug list)
Environment:
Last Closed:	2017-03-30 10:58:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description David Arcari 2017-02-27 20:07:28 UTC

Description of problem:

modprobe is returning EPERM:

Version-Release number of selected component (if applicable):

This was happening with the 2-20-17 RHEL7.4 nightly build, but not the 2-09-17 nightly build.


How reproducible:

100%


Steps to Reproduce:
1.Provisioned system with 2/20 7.4 nightly build
2.copied upstream kernel from a different system
3.reboot
4. modprobe fails

Actual results:

# modprobe atusb
modprobe: ERROR: could not insert 'atusb': Permission denied


Expected results:

Successful load of module.


Additional info:

This problem was not happening on my system which was loaded with RHEL-7.4-20170209.n.0, but is happening on my system which was loaded with RHEL-7.4-20170220.n.1.

I loaded the selinux-policy associated with 20170220 on my system with 20170209 in order to prove that is in fact the issue.

1) Ran this command:

# rpm -Uvh selinux-policy-3.13.1-121.el7.noarch.rpm selinux-policy-targeted-3.13.1-121.el7.noarch.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:selinux-policy-3.13.1-121.el7    ################################# [ 25%]
   2:selinux-policy-targeted-3.13.1-12################################# [ 50%]
Re-declaration of type docker_t
Failed to create node
Bad type declaration at /etc/selinux/targeted/tmp/modules/100/docker/cil:1
/usr/sbin/semodule:  Failed!
22k
Cleaning up / removing...
   3:selinux-policy-targeted-3.13.1-11################################# [ 75%]
   4:selinux-policy-3.13.1-117.el7    ################################

2) Console output:

[ 9287.389251] SELinux:  Class sctp_socket not defined in policy.
[ 9287.395102] SELinux:  Class icmp_socket not defined in policy.
[ 9287.400951] SELinux:  Class ax25_socket not defined in policy.
[ 9287.406793] SELinux:  Class ipx_socket not defined in policy.
[ 9287.412531] SELinux:  Class netrom_socket not defined in policy.
[ 9287.418539] SELinux:  Class atmpvc_socket not defined in policy.
[ 9287.424543] SELinux:  Class x25_socket not defined in policy.
[ 9287.430290] SELinux:  Class rose_socket not defined in policy.
[ 9287.436121] SELinux:  Class decnet_socket not defined in policy.
[ 9287.442141] SELinux:  Class atmsvc_socket not defined in policy.
[ 9287.448154] SELinux:  Class rds_socket not defined in policy.
[ 9287.453917] SELinux:  Class irda_socket not defined in policy.
[ 9287.459751] SELinux:  Class pppox_socket not defined in policy.
[ 9287.465681] SELinux:  Class llc_socket not defined in policy.
[ 9287.471442] SELinux:  Class can_socket not defined in policy.
[ 9287.477178] SELinux:  Class tipc_socket not defined in policy.
[ 9287.483035] SELinux:  Class bluetooth_socket not defined in policy.
[ 9287.489319] SELinux:  Class iucv_socket not defined in policy.
[ 9287.495173] SELinux:  Class rxrpc_socket not defined in policy.
[ 9287.501094] SELinux:  Class isdn_socket not defined in policy.
[ 9287.506966] SELinux:  Class phonet_socket not defined in policy.
[ 9287.512968] SELinux:  Class ieee802154_socket not defined in policy.
[ 9287.519312] SELinux:  Class caif_socket not defined in policy.
[ 9287.525143] SELinux:  Class alg_socket not defined in policy.
[ 9287.530882] SELinux:  Class nfc_socket not defined in policy.
[ 9287.536618] SELinux:  Class vsock_socket not defined in policy.
[ 9287.542534] SELinux:  Class kcm_socket not defined in policy.
[ 9287.548289] SELinux:  Class qipcrtr_socket not defined in policy.
[ 9287.554393] SELinux:  Class smc_socket not defined in policy.
[ 9287.560163] SELinux: the above unknown classes and permissions will be allowe


The net result is that the previously working system is now encountering the EPERM issue.

Comment 2 Milos Malik 2017-02-28 08:22:21 UTC

Could you collect SELinux denials on your machine and attach them here?

# dmesg | grep type=1400
# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Thank you.

It's very likely that this bug is a duplicate of BZ#1421598.

Comment 3 David Arcari 2017-02-28 13:44:48 UTC

Unfortunately I don't have the setup available at this time.

I guess you can go ahead and close this as a duplicate.  I will reopen it if I experience an issue going forward.

Comment 4 Milos Malik 2017-03-15 10:17:31 UTC

Which kernel version did you use? I don't see the "Class ... not defined in policy" messages.

Comment 5 Prarit Bhargava 2017-03-15 11:44:28 UTC

Milos, I can reproduce this on any recent RHEL7 install by doing the following:

1.  Install a beaker system with RHEL7 latest.  I am using 

baseurl=http://download.eng.bos.redhat.com/nightly/Pegas-7.4-20170313.n.0/compose/Server/x86_64/os

2.  Checkout the upstream git tree git://git.app.eng.bos.redhat.com/linux.git

To get the appropriate config, grab the latest RHEL7 upstream build from

http://hp-dl360pgen8-07.khw.lab.eng.bos.redhat.com/~jwilson/kernels/el7

and install the kernel-upstream RPM.  A config will be in /boot/config-XXX

3.  Build the linux git tree.  (make oldconfig; make -jX; make modules -jX)

4.  Install the linux build (make -jX modules_install; make -jX install)

5.  Boot that new kernel

6.  During the reboot you will see

 SELinux:  Permission validate_trans in class security not defined in policy.
 SELinux:  Permission module_load in class system not defined in policy.
 SELinux:  Class binder not defined in policy.
 SELinux:  Class cap_userns not defined in policy.
 SELinux:  Class cap2_userns not defined in policy.
 SELinux:  Class sctp_socket not defined in policy.
 SELinux:  Class icmp_socket not defined in policy.
 SELinux:  Class ax25_socket not defined in policy.
 SELinux:  Class ipx_socket not defined in policy.
 SELinux:  Class netrom_socket not defined in policy.
 SELinux:  Class atmpvc_socket not defined in policy.
 SELinux:  Class x25_socket not defined in policy.
 SELinux:  Class rose_socket not defined in policy.
 SELinux:  Class decnet_socket not defined in policy.
 SELinux:  Class atmsvc_socket not defined in policy.
 SELinux:  Class rds_socket not defined in policy.
 SELinux:  Class irda_socket not defined in policy.
 SELinux:  Class pppox_socket not defined in policy.
 SELinux:  Class llc_socket not defined in policy.
 SELinux:  Class can_socket not defined in policy.
 SELinux:  Class tipc_socket not defined in policy.
 SELinux:  Class bluetooth_socket not defined in policy.
 SELinux:  Class iucv_socket not defined in policy.
 SELinux:  Class rxrpc_socket not defined in policy.
 SELinux:  Class isdn_socket not defined in policy.
 SELinux:  Class phonet_socket not defined in policy.
 SELinux:  Class ieee802154_socket not defined in policy.
 SELinux:  Class caif_socket not defined in policy.
 SELinux:  Class alg_socket not defined in policy.
 SELinux:  Class nfc_socket not defined in policy.
 SELinux:  Class vsock_socket not defined in policy.
 SELinux:  Class kcm_socket not defined in policy.
 SELinux:  Class qipcrtr_socket not defined in policy.
 SELinux:  Class smc_socket not defined in policy.
 SELinux: the above unknown classes and permissions will be allowed
 audit: type=1403 audit(1489399697.991:3): policy loaded auid=4294967295 ses=4294967295 
 Successfully loaded SELinux policy in 455.140ms.

I will test with the RHEL7 git tree and update this BZ.

P.

Comment 6 Prarit Bhargava 2017-03-15 11:58:29 UTC

This does not occur with the RHEL7 git tree AFAICT.  darcari, can you confirm?

Thanks,

P.

Comment 7 David Arcari 2017-03-15 12:09:34 UTC

(In reply to Milos Malik from comment #4)
> Which kernel version did you use? I don't see the "Class ... not defined in
> policy" messages.

AFAICT the build that I used is no longer available.  I was using the 2.20.17 nightly build.

Prarit - I never saw this issue when I have built my own kernel; however, it appears that it was only present during a brief window.

Comment 11 Lukas Vrabec 2017-03-30 10:58:55 UTC


*** This bug has been marked as a duplicate of bug 1414130 ***

Note You need to log in before you can comment on or make changes to this bug.