Boot, login, and immediately there's an selinux notification in gnome-shell. SELinux is preventing systemctl from module_request access on the system Unknown. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow domain to kernel load modules Then you must tell SELinux about this by enabling the 'domain_kernel_load_modules' boolean. Do setsebool -P domain_kernel_load_modules 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that systemctl should be allowed module_request access on the Unknown system by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'systemctl' --raw | audit2allow -M my-systemctl # semodule -X 300 -i my-systemctl.pp Additional Information: Source Context system_u:system_r:init_t:s0 Target Context system_u:system_r:kernel_t:s0 Target Objects Unknown [ system ] Source systemctl Source Path systemctl Port <Unknown> Host f27h.localdomain Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-283.26.fc27.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name f27h.localdomain Platform Linux f27h.localdomain 4.16.0-0.rc2.git0.1.fc28.x86_64+debug #1 SMP Mon Feb 19 14:27:14 UTC 2018 x86_64 x86_64 Alert Count 12 First Seen 2018-02-22 23:01:14 MST Last Seen 2018-02-23 00:14:21 MST Local ID 96830191-267d-4388-9104-9ff7e5a5a486 Raw Audit Messages type=AVC msg=audit(1519370061.967:268): avc: denied { module_request } for pid=2402 comm="systemd-update-" kmod="netdev-" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Created attachment 1399709 [details] journal log
Still happens after relabeling. But does not happen if I boot 4.15.4-300.fc27.x86_64 instead of 4.16rc2. Even with 4.15.4 I still get a bunch of other avc denials however. [chris@f27h ~]$ sudo journalctl -b | grep avc [sudo] password for chris: Feb 23 00:23:12 f27h.localdomain audit[687]: AVC avc: denied { mounton } for pid=687 comm="(uetoothd)" path="/var/lib/bluetooth" dev="nvme0n1p9" ino=143802 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:bluetooth_var_lib_t:s0 tclass=dir permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { status } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gdm-wayland-session gnome-session --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:15 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:16 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0 Feb 23 00:23:16 f27h.localdomain systemd[1007]: selinux: avc: denied { reload } for auid=n/a uid=42 gid=42 cmdline="/usr/libexec/gnome-session-binary --autostart /usr/share/gdm/greeter/autostart" scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=system permissive=0
*** This bug has been marked as a duplicate of bug 1547227 ***