Created attachment 1553875 [details] "ausearch -m avx" result Description of problem: SELinux causes the "Kernel driver not installed (rc = -1908)" error when running guest machines in VirtualBox (from rpmfusion). The result of the "systemctl restart systemd-modules-load.service" command: Failed to lookup module alias 'vboxdrv': Function not implemented Failed to lookup module alias 'vboxnetflt': Function not implemented Failed to lookup module alias 'vboxnetadp': Function not implemented Failed to lookup module alias 'vboxpci': Function not implemented systemd [1]: systemd-modules-load.service: Main process exited, code = exited, status = 1 / FAILURE systemd [1]: systemd-modules-load.service: Failed with result 'exit-code'. systemd [1]: Failed to start Load Kernel Modules. Akmods command output: Checking kmods exist for 5.0.6-300.fc30.x86_64 [OK] Version-Release number of selected component (if applicable): kernel: 5.0.6-300.fc30.x86_64 selinux-policy-3.14.3-27.fc30.noarch VirtualBox-6.0.4-2.fc30.x86_64 dkms-2.6.1-3.fc30.noarch Steps to Reproduce: 1. enable secure boot 2. sudo dnf install @development-tools sudo dnf install kernel-devel kernel-headers dkms qt5-qtx11extras elfutils- libelf-devel zlib-devel sudo usermod -a -G vboxusers $USER 3. openssl req -new -x509 -newkey rsa:2048 -keyout MOK.priv -outform DER -out MOK.der -nodes -days 36500 -subj "/CN=Someorganization.com/" 4. for f in $(dirname $(modinfo -n vboxdrv))/*.ko; do echo "Signing $f"; sudo /usr/src/kernels/$(uname -r)/scripts/sign-file sha256 ./MOK.priv ./MOK.der $f; done 5. sudo mokutil --import MOK.der 6. reboot, select “Enroll MOK”, then “Continue”, and then “Yes”; 7. try to run some guest machine Actual results: Kernel driver not installed (rc = -1908) Expected results: The guest OS is running. 8. edit the /etc/selinux/config file as follows (switch to permissive mode): This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted 9. reboot and try to run some guest machine Actual results: The guest OS is running. Additional info: 1. mokutil --sb-state SecureBoot enabled 2. sudo mokutil --list-enrolled My certificate is in the list of enrolled certificates. 3. dgmesg | grep cert [ 2.758905] Loading compiled-in X.509 certificates [ 2.839792] Loaded X.509 cert 'Fedora kernel signing key: f3d58d4c27c9324ae906085cc56865624e714874' [ 2.880534] integrity: Loading X.509 certificate: UEFI:db [ 2.880615] integrity: Loaded X.509 cert 'Microsoft Windows Production PCA 2011: a92902398e16c49778cd90f99e4f9ae17c55af53' [ 2.880617] integrity: Loading X.509 certificate: UEFI:db [ 2.880661] integrity: Loaded X.509 cert 'Microsoft Corporation UEFI CA 2011: 13adbf4309bd82709c8cd54f316ed522988a1bd4' [ 2.880662] integrity: Loading X.509 certificate: UEFI:db [ 2.881103] integrity: Loaded X.509 cert 'Wistron Secure Flash: 34988c042fea03ab4cf14666886666c5' [ 2.881104] integrity: Loading X.509 certificate: UEFI:db [ 2.881134] integrity: Loaded X.509 cert 'Acer Database: 84f00f5841571abd2cc11a8c26d5c9c8d2b6b0b5' [ 2.881292] integrity: Loading X.509 certificate: UEFI:MokListRT [ 2.881926] integrity: Loaded X.509 cert 'boot_key: 30f9aec637b6bcf0286df26ebe1c9bea4011972e' [ 2.881929] integrity: Loading X.509 certificate: UEFI:MokListRT [ 2.882819] integrity: Loaded X.509 cert 'Someorganization.com: 7c5fbeec6136e070427b9708165e2618be601382' [ 2.882820] integrity: Loading X.509 certificate: UEFI:MokListRT [ 2.883727] integrity: Loaded X.509 cert 'Fedora Secure Boot CA: fde32599c2d61db1bf5807335d7b20e4cd963b42' [ 63.547343] cfg80211: Loading compiled-in X.509 certificates for regulatory database [ 63.561178] cfg80211: Loaded X.509 cert 'sforshee: 00b28ddf47aef9cea7' 4. ausearch -m avx see attachments 5. ausearch -m avс see attachments
Created attachment 1553876 [details] "ausearch -m avc" result
https://github.com/fedora-selinux/selinux-policy/commit/021823926ae7bff86e92ea8d119d5150c0d89a63
selinux-policy-3.14.3-28.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3
selinux-policy-3.14.3-28.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-b514a5c8a3
selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a
selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Will this be backported to Fedora 29 as well?
Are you facing same issue also on Fedora 29?
I'm experiencing the same symptoms, yes. I have a self-signed kernel module and the key is enrolled with mokutil. I can see the key when I perform a mokutil --list-enrolled. But when I try to load the module with modprobe, I'm getting: modprobe: ERROR: could not insert '***': Operation not permitted 'dmesg' output is: PKCS#7 signature not signed with a trusted key 'keyctl list %:.builtin_trusted_keys' gives me: 1 key in keyring: 892539136: ---lswrv 0 0 asymmetric: Fedora kernel signing key: 6f4b0dfe2ebeeac4fb22935af6b2fffa759129af which way too less... I haven't checked with SELinux permissive mode. But I will shortly...
Seems like SELinux is not the culprit. Any other idea why the certificates show up in mokutil, in dmesg but NOT in the keyring?
The same symptoms are caused by something different on Fedora 29. See https://bugzilla.redhat.com/show_bug.cgi?id=1701096.