Bug 1717405 - firewalld fails to start in F30 (Silverblue): Failed to load nf_conntrack module
Summary: firewalld fails to start in F30 (Silverblue): Failed to load nf_conntrack module
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 30
Hardware: Unspecified
OS: Linux
high
high
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1700739 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-05 12:29 UTC by Gerard Ryan
Modified: 2019-11-17 01:13 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-3.14.3-52.fc30
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-17 01:13:16 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Gerard Ryan 2019-06-05 12:29:24 UTC 
Description of problem:
I see the same error output in Fedora 30 Silverblue as was seen in Rawhide in https://bugzilla.redhat.com/show_bug.cgi?id=1686654

$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Wed 2019-06-05 13:07:00 IST; 13min ago
     Docs: man:firewalld(1)
  Process: 4271 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 4271 (code=exited, status=0/SUCCESS)

Jun 05 13:07:00 silverblue-t580 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 05 13:07:00 silverblue-t580 systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 05 13:07:00 silverblue-t580 firewalld[4271]: WARNING: modinfo command is missing, not able to detect conntrack helpers.
Jun 05 13:07:00 silverblue-t580 firewalld[4271]: ERROR: Failed to load nf_conntrack module:
Jun 05 13:07:00 silverblue-t580 firewalld[4271]: ERROR: Raising SystemExit in run_server
Jun 05 13:07:00 silverblue-t580 systemd[1]: firewalld.service: Succeeded.

nf_conntrack appears to be loaded:

$ modinfo nf_conntrack
filename:       /lib/modules/5.1.6-300.fc30.x86_64/kernel/net/netfilter/nf_conntrack.ko.xz
license:        GPL
alias:          nf_conntrack-10
alias:          nf_conntrack-2
alias:          ip_conntrack
depends:        nf_defrag_ipv6,libcrc32c,nf_defrag_ipv4
retpoline:      Y
intree:         Y
name:           nf_conntrack
vermagic:       5.1.6-300.fc30.x86_64 SMP mod_unload 
sig_id:         PKCS#7
signer:         
sig_key:        
sig_hashalgo:   md4
signature:      30:82:02:DA:06:09:2A:86:48:86:F7:0D:01:07:02:A0:82:02:CB:30:
		82:02:C7:02:01:01:31:0D:30:0B:06:09:60:86:48:01:65:03:04:02:
		01:30:0B:06:09:2A:86:48:86:F7:0D:01:07:01:31:82:02:A4:30:82:
		02:A0:02:01:01:30:7B:30:63:31:0F:30:0D:06:03:55:04:0A:0C:06:
		46:65:64:6F:72:61:31:22:30:20:06:03:55:04:03:0C:19:46:65:64:
		6F:72:61:20:6B:65:72:6E:65:6C:20:73:69:67:6E:69:6E:67:20:6B:
		65:79:31:2C:30:2A:06:09:2A:86:48:86:F7:0D:01:09:01:16:1D:6B:
		65:72:6E:65:6C:2D:74:65:61:6D:40:66:65:64:6F:72:61:70:72:6F:
		6A:65:63:74:2E:6F:72:67:02:14:34:EB:76:A2:DC:9F:EE:7D:FD:68:
		35:74:72:18:60:46:CF:77:F2:BE:30:0B:06:09:60:86:48:01:65:03:
		04:02:01:30:0D:06:09:2A:86:48:86:F7:0D:01:01:01:05:00:04:82:
		02:00:1E:78:25:1C:C0:87:0C:1F:5F:8C:23:94:BB:BB:A3:DB:F3:88:
		35:E0:C0:F0:91:69:C0:C0:8B:78:F7:C2:4A:CA:1D:A2:76:93:E0:2C:
		D8:BF:D0:C8:D2:E2:FE:E5:48:85:9E:12:A3:99:2B:83:A6:2D:D3:EB:
		CC:3E:05:DD:03:FA:2A:C4:9C:13:06:5A:91:DD:A0:62:FB:9F:F9:C6:
		E0:F3:F8:4F:D0:10:F1:E2:F8:7D:14:36:53:65:4A:AD:5F:D2:B4:17:
		66:6E:01:3E:05:65:42:00:5B:A1:D9:97:0F:A2:63:B5:DD:AA:DA:12:
		3D:2D:D8:48:E7:DD:D6:EF:9B:2E:76:26:53:FF:65:0B:54:B7:CE:D9:
		8F:6A:32:75:B8:D7:6F:E2:D0:BA:EE:99:BF:2D:B2:C9:C9:01:5C:63:
		1E:E5:D0:2D:2B:4C:A2:F1:B9:0D:F2:37:0A:DF:28:97:81:61:22:50:
		A5:1F:3E:E8:FF:02:B9:C4:BE:DE:BC:71:00:1D:06:98:32:F6:AE:59:
		21:09:A2:36:41:59:AC:A6:D5:6C:26:26:FD:6A:F2:56:C3:31:BE:39:
		06:23:40:DD:FF:F4:13:73:43:B0:EB:F3:A5:29:DD:78:99:E6:5F:64:
		45:8E:40:35:DC:D1:18:07:66:A1:F1:30:E8:B4:F0:B3:E6:59:39:1B:
		EE:33:99:F4:04:E6:CB:BA:67:87:B7:98:54:D1:79:1E:E0:06:26:61:
		12:B2:D8:B7:2D:3D:EE:46:DA:71:47:12:28:1D:94:0A:4C:9D:47:17:
		D5:3E:01:2D:2D:0E:84:E1:67:65:78:17:C7:FE:BE:19:0F:C0:E5:EF:
		93:BA:47:E8:A1:F2:AB:E9:0C:3B:0C:12:B2:5F:4F:5B:CD:30:08:B0:
		BF:A6:CB:2E:6E:40:ED:D3:B2:44:C7:9B:44:01:BF:50:26:2B:A3:16:
		AC:E7:44:17:F1:F4:B1:77:3F:DD:5C:FA:43:6E:2A:DA:21:55:D9:70:
		98:2C:EF:5C:B8:36:A0:F7:F2:5C:41:37:1C:EE:F8:CA:75:F3:F5:1F:
		85:F3:6A:61:29:1E:D3:0A:5D:84:60:B6:D0:86:93:22:90:E5:78:8B:
		49:BA:FB:4B:00:EE:D0:60:2E:2E:E2:8F:A0:DD:E6:32:BA:CC:AC:BB:
		00:96:43:69:21:26:46:72:6A:A5:97:30:39:49:0A:A2:D4:6F:D2:5F:
		60:E1:EF:95:D1:BD:59:8E:79:7C:10:1E:BB:13:4A:4E:F0:14:F6:F8:
		C9:C1:B5:14:5B:BF:FA:D6:AD:A4:74:AF:EE:5D:92:8E:EA:05:55:22:
		DE:EB:6A:82:BB:BC:41:BD:92:2E:D1:71:E1:A3
parm:           tstamp:Enable connection tracking flow timestamping. (bool)
parm:           acct:Enable connection tracking flow accounting. (bool)
parm:           nf_conntrack_helper:Enable automatic conntrack helper assignment (default 0) (bool)
parm:           expect_hashsize:uint
parm:           enable_hooks:Always enable conntrack hooks (bool)


Version-Release number of selected component (if applicable):

Here are some relevant package versions:
$ rpm -q firewalld selinux-policy
firewalld-0.6.3-2.fc30.noarch
selinux-policy-3.14.3-37.fc30.noarch

How reproducible:
If I could figure out how to unreproduce it, I would...so 100% :-)

Expected results:
firewalld doesn't experience this error and can start

Actual results:
firewalld hits this error and can't start
Comment 1 Gerard Ryan 2019-06-05 12:35:40 UTC 
Additionally, I see the following output in the `dmesg` output after a fresh boot. I have no idea if it's related, but I guess it could be, given that the modinfo command comes from the kmod package, and the previous rawhide issue was fixed with an update to the selinux-policy package:

Unable to fix SELinux security context of /run/tmpfiles.d/kmod.conf: Invalid argument
Comment 2 Gerard Ryan 2019-06-05 14:41:59 UTC 
Also, I tried upgrading to the newer selinux-policy package that's in updates-testing to see if that would help, but hit this:

https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52#comment-955601
Comment 3 Eric Garver 2019-06-06 14:37:08 UTC 
(In reply to Gerard Ryan from comment #2)
> Also, I tried upgrading to the newer selinux-policy package that's in
> updates-testing to see if that would help, but hit this:
> 
> https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52#comment-955601

Can you do "setenforce 0" then restart firewalld to verify it's selinux blocking. Don't forget to reenable when done. :)
Comment 4 Gerard Ryan 2019-06-07 09:01:40 UTC 
(In reply to Eric Garver from comment #3)
> (In reply to Gerard Ryan from comment #2)
> > Also, I tried upgrading to the newer selinux-policy package that's in
> > updates-testing to see if that would help, but hit this:
> > 
> > https://bodhi.fedoraproject.org/updates/FEDORA-2019-3f20be4d52#comment-955601
> 
> Can you do "setenforce 0" then restart firewalld to verify it's selinux
> blocking. Don't forget to reenable when done. :)

Thanks for the tip, it does indeed seem to be selinux blocking it. When I "setenforce 0" and restart firewalld it works fine. If I then "setenforce 1" again and try to restart firewalld, I get the original error here.

Given that, I've changed the component here to be selinux-policy.

Does the error message I pasted above look relevant ("Unable to fix SELinux security context of /run/tmpfiles.d/kmod.conf: Invalid argument")? Would deleting that file and rebooting be a good idea or bad idea (asking in case it could break my ability to boot or something)?
Comment 5 Eric Garver 2019-06-07 16:08:29 UTC 
(In reply to Gerard Ryan from comment #4)
[..] 
> Does the error message I pasted above look relevant ("Unable to fix SELinux
> security context of /run/tmpfiles.d/kmod.conf: Invalid argument")? Would
> deleting that file and rebooting be a good idea or bad idea (asking in case
> it could break my ability to boot or something)?

I don't know. Maybe someone from selinux can answer.
Comment 6 Gerard Ryan 2019-06-11 22:52:59 UTC 
(In reply to Eric Garver from comment #5)
> (In reply to Gerard Ryan from comment #4)
> [..] 
> > Does the error message I pasted above look relevant ("Unable to fix SELinux
> > security context of /run/tmpfiles.d/kmod.conf: Invalid argument")? Would
> > deleting that file and rebooting be a good idea or bad idea (asking in case
> > it could break my ability to boot or something)?
> 
> I don't know. Maybe someone from selinux can answer.

Out of desperation I tried deleting the file to see if it would help anything. Unfortunately this had no effect, as it seems to just get created on each boot if it's not there.
Comment 7 Lukas Vrabec 2019-06-12 15:09:18 UTC 
HI All, 

Could anybody try the broken scenario and then attach output of: 

# ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts recent 

THanks,
Lukas.
Comment 8 Gerard Ryan 2019-06-12 21:23:23 UTC 
(In reply to Lukas Vrabec from comment #7)
> HI All, 
> 
> Could anybody try the broken scenario and then attach output of: 
> 
> # ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts recent 
> 
> THanks,
> Lukas.

Hi Lukas, here it is from my system:

$ sudo ausearch -m AVC -m USER_AVC -m SELINUX_ERR -ts recent
----
time->Wed Jun 12 22:18:28 2019
type=AVC msg=audit(1560374308.332:350): avc:  denied  { unlink } for  pid=11453 comm="systemd-user-ru" name=".containerenv" dev="tmpfs" ino=154249 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0:c16,c632 tclass=file permissive=0
----
time->Wed Jun 12 22:18:28 2019
type=AVC msg=audit(1560374308.332:351): avc:  denied  { unlink } for  pid=11453 comm="systemd-user-ru" name="hostname" dev="tmpfs" ino=154248 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0:c16,c632 tclass=file permissive=0
----
time->Wed Jun 12 22:18:28 2019
type=AVC msg=audit(1560374308.332:352): avc:  denied  { unlink } for  pid=11453 comm="systemd-user-ru" name="hosts" dev="tmpfs" ino=154247 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0
----
time->Wed Jun 12 22:18:28 2019
type=AVC msg=audit(1560374308.332:353): avc:  denied  { unlink } for  pid=11453 comm="systemd-user-ru" name="resolv.conf" dev="tmpfs" ino=154242 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.146:135): avc:  denied  { execute } for  pid=1100 comm="iptables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.151:136): avc:  denied  { execute } for  pid=1103 comm="ip6tables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.164:137): avc:  denied  { execute } for  pid=1107 comm="ebtables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.186:138): avc:  denied  { execute } for  pid=1114 comm="iptables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.189:139): avc:  denied  { execute } for  pid=1118 comm="ip6tables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.190:140): avc:  denied  { getattr } for  pid=1021 comm="firewalld" path="/usr/bin/kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.341:149): avc:  denied  { execute } for  pid=1156 comm="firewalld" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.565:153): avc:  denied  { execute } for  pid=1166 comm="iptables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.571:154): avc:  denied  { execute } for  pid=1168 comm="ip6tables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.598:155): avc:  denied  { execute } for  pid=1173 comm="iptables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:10 2019
type=AVC msg=audit(1560374350.606:156): avc:  denied  { execute } for  pid=1175 comm="ip6tables" name="kmod" dev="dm-1" ino=2498764 scontext=system_u:system_r:iptables_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:kmod_exec_t:s0
----
time->Wed Jun 12 22:19:24 2019
type=AVC msg=audit(1560374364.350:195): avc:  denied  { read } for  pid=1372 comm="geoclue" name="modules" dev="dm-1" ino=664098 scontext=system_u:system_r:geoclue_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0 trawcon=system_u:object_r:pkcs11_modules_conf_t:s0
----
time->Wed Jun 12 22:19:30 2019
type=AVC msg=audit(1560374370.168:200): avc:  denied  { execute } for  pid=2669 comm="(m-helper)" name="flatpak-system-helper" dev="dm-1" ino=2494466 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon=system_u:object_r:flatpak_helper_exec_t:s0


Thanks,
Gerard.
Comment 9 Lukas Vrabec 2019-06-14 20:51:47 UTC 
Hi, 

Could you please run following command: 

# restorecon -Rv /

It should if labels on your system. Feel free to re-open this ticket if the issue occurs again. 

Thanks,
Lukas.
Comment 10 Gerard Ryan 2019-06-15 20:59:50 UTC 
Hi Lukas,

I ran that command, and it relabeled a bunch of stuff, but unfortunately that has had a very bad effect: I now can't boot my system.

I should have known something was not right after the command completed: The power-off button disappeared from the settings menu in the dropdown from the top right of GNOME Shell, and `systemctl reboot` was also failing with some error message. Eventually I just ran `sudo reboot -f`.

Could this unintended behaviour be because I'm using Silverblue instead of Workstation? Was that `restorcon` command maybe a bad idea on Silverblue? I actually thought that problems like this were solved by Silverblue, since it would allow me to boot into the previous working ostree, but that also doesn't boot now.

In case it's of any use, the boot message that it seems to be getting stuck on (in both my latest and previous ostree options), is:

"Starting Manage, Install and Generate Color Profiles...ice...kbd_backlight...6853...."

Any ideas?

I'll try to get attention of some Silverblue folks on this, otherwise I'll likely have to reinstall tomorrow since this is my work machine and I'll need it for Monday.

Thanks,
Gerard.
Comment 11 Gerard Ryan 2019-06-16 12:24:22 UTC 
Thanks to the suggestion by refi64, I can successfully boot by adding `enforcing=0` to the kernel boot command:

https://discussion.fedoraproject.org/t/i-cant-boot-into-either-my-latest-or-previous-ostree-after-running-restorecon/1906

As mentioned there, I'm also able to `sudo setenforce 1` after booting and everything works so far for that session. Unfortunately the underlying issue is still there, since if I reboot I hit the same issue again if I don't continue to add `enforcing=0`.

Now that I don't need to reinstall in a hurry, any suggestions on how to proceed from here?

Thanks,
Gerard.
Comment 12 Gerard Ryan 2019-06-17 08:35:18 UTC 
Here are some "avc: denied" messages that I found in the boot logs with `journalctl -b | grep "avc" -B3`, in case it's useful:

Jun 16 13:15:10 silverblue-t580 crond[1105]: (CRON) INFO (running with inotify support)
Jun 16 13:15:10 silverblue-t580 systemd[1119]: pam_unix(systemd-user:session): session opened for user gryan by (uid=0)
Jun 16 13:15:10 silverblue-t580 audit[1119]: USER_START pid=1119 uid=0 auid=1000 ses=1 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gryan" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 16 13:15:10 silverblue-t580 audit[1119]: AVC avc:  denied  { transition } for  pid=1119 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="dm-1" ino=2511540 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
Jun 16 13:15:10 silverblue-t580 audit[1119]: AVC avc:  denied  { entrypoint } for  pid=1119 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="dm-1" ino=2511540 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
--
Jun 16 13:15:13 silverblue-t580 audit[1466]: USER_ROLE_CHANGE pid=1466 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:kernel_t:s0 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0 selected-context=unconfined_u:unconfined_r:unconfined_t:s0 exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 16 13:15:13 silverblue-t580 audit[1466]: USER_START pid=1466 uid=0 auid=42 ses=2 subj=system_u:system_r:kernel_t:s0 msg='op=PAM:session_open grantors=pam_selinux,pam_selinux,pam_loginuid,pam_keyinit,pam_limits,pam_systemd,pam_unix acct="gdm" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Jun 16 13:15:13 silverblue-t580 systemd[1466]: pam_unix(systemd-user:session): session opened for user gdm by (uid=0)
Jun 16 13:15:13 silverblue-t580 audit[1466]: AVC avc:  denied  { transition } for  pid=1466 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="dm-1" ino=2511540 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
Jun 16 13:15:13 silverblue-t580 audit[1466]: AVC avc:  denied  { entrypoint } for  pid=1466 comm="(systemd)" path="/usr/lib/systemd/systemd" dev="dm-1" ino=2511540 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
--
Jun 16 13:15:20 silverblue-t580 systemd-logind[1044]: New session 3 of user gryan.
Jun 16 13:15:20 silverblue-t580 systemd[1]: Started Session 3 of user gryan.
Jun 16 13:15:20 silverblue-t580 gdm-password][1834]: pam_unix(gdm-password:session): session opened for user gryan by (uid=0)
Jun 16 13:15:20 silverblue-t580 audit[1854]: AVC avc:  denied  { transition } for  pid=1854 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-1" ino=2647907 scontext=system_u:system_r:kernel_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=1
Jun 16 13:15:20 silverblue-t580 audit[1854]: AVC avc:  denied  { entrypoint } for  pid=1854 comm="gdm-session-wor" path="/usr/bin/gnome-keyring-daemon" dev="dm-1" ino=2647907 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
Comment 13 Fedora Update System 2019-06-18 11:32:06 UTC 
FEDORA-2019-9da5c35472 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
Comment 14 Fedora Update System 2019-06-19 01:02:58 UTC 
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-9da5c35472
Comment 15 Fedora Update System 2019-06-20 02:54:49 UTC 
selinux-policy-3.14.3-39.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Gerard Ryan 2019-06-20 18:40:06 UTC 
Hi Lukas,

Unfortunately that package update doesn't fix this issue on Fedora Silverblue. Sorry I wasn't able to mention that before it went out and caused the issue to be closed. I was having issues because of the restorecon command (it seems to currently be a bad idea to run that on Silverblue: https://discussion.fedoraproject.org/t/i-cant-boot-into-either-my-latest-or-previous-ostree-after-running-restorecon/1906/5?u=grdryn).

I've got the new version of selinux-policy:

$ rpm -q selinux-policy
selinux-policy-3.14.3-39.fc30.noarch

I've manually loaded the nf_conntrack mod:

$ lsmod | egrep -v  "\s0" | grep nf_conntrack
nf_conntrack_netbios_ns    16384  1
nf_conntrack_broadcast    16384  1 nf_conntrack_netbios_ns
nf_conntrack          147456  5 xt_conntrack,nf_nat,nf_conntrack_netbios_ns,nf_conntrack_broadcast,xt_CT
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
libcrc32c              16384  2 nf_conntrack,nf_nat

With selinux enforcing, I get the same issue as before:

$ sudo setenforce 1
$ sudo systemctl reload-or-restart firewalld
$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2019-06-20 19:36:38 IST; 5s ago
     Docs: man:firewalld(1)
  Process: 8184 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=1/FAILURE)
  Process: 8464 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
 Main PID: 8184 (code=exited, status=1/FAILURE)

Jun 20 19:28:24 silverblue-t580 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 20 19:28:24 silverblue-t580 systemd[1]: Started firewalld - dynamic firewall daemon.
Jun 20 19:36:38 silverblue-t580 systemd[1]: Reloading firewalld - dynamic firewall daemon.
Jun 20 19:36:38 silverblue-t580 systemd[1]: Reloaded firewalld - dynamic firewall daemon.
Jun 20 19:36:38 silverblue-t580 firewalld[8184]: WARNING: modinfo command is missing, not able to detect conntrack helpers.
Jun 20 19:36:38 silverblue-t580 firewalld[8184]: ERROR: Failed to load nf_conntrack module:
Jun 20 19:36:38 silverblue-t580 systemd[1]: firewalld.service: Main process exited, code=exited, status=1/FAILURE
Jun 20 19:36:38 silverblue-t580 systemd[1]: firewalld.service: Failed with result 'exit-code'.

With selinux not enforcing, it starts fine:

$ sudo setenforce 0
$ sudo systemctl reload-or-restart firewalld
$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2019-06-20 19:38:10 IST; 2s ago
     Docs: man:firewalld(1)
 Main PID: 8577 (firewalld)
    Tasks: 2 (limit: 4915)
   Memory: 23.7M
   CGroup: /system.slice/firewalld.service
           └─8577 /usr/bin/python3 /usr/sbin/firewalld --nofork --nopid

Jun 20 19:38:09 silverblue-t580 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 20 19:38:10 silverblue-t580 systemd[1]: Started firewalld - dynamic firewall daemon.
Comment 17 Lukas Vrabec 2019-07-25 13:09:05 UTC 
Hi, 

I pushed some changes to the selinux-policy sources:

commit f3ce58c3685d95ceb969b841d74af08217adf29e
Author: Lukas Vrabec <lvrabec>
Date:   Mon Jul 22 19:27:58 2019 +0200

    Allow systemd to load kernel modules during boot process.
    
    The netfilter kernel modules can't be autoloaded and must be loaded
    explicitly. Since nspawn and systemd-networkd make use of iptables via
    libiptc we load the module from systemd during the boot. This is a
    commit which introduced the change:
    https://github.com/systemd/systemd/commit/1d3087978a8ee23107cb64aa55ca97aefe9531e2

Fix should be included in the next selinux-policy build. 

Thanks,
Lukas.
Comment 18 Lukas Vrabec 2019-07-25 14:03:19 UTC 
*** Bug 1700739 has been marked as a duplicate of this bug. ***
Comment 19 Gerard Ryan 2019-09-04 18:50:16 UTC 
Hi Lukas,

Sorry it took me so long to get back to this -- the workaround of just doing things manually after every boot has been sufficient for me up to now.

I've currently got selinux-policy-3.14.3-43.fc30.noarch, which if I'm reading the build changelog correctly, should contain the fix. I still experience this though, and the other issue around libvirtd failing because of the missing "tun" module.

I'm not sure if any of it is useful for you, but in the "journalctl -b" output, I see the following:

Sep 04 19:33:21 localhost systemd[1]: Switching root.
Sep 04 19:33:21 localhost systemd-journald[307]: Journal stopped
Sep 04 19:33:22 silverblue-t580 systemd-journald[307]: Received SIGTERM from PID 1 (systemd).
Sep 04 19:33:22 silverblue-t580 kernel: printk: systemd: 28 output lines suppressed due to ratelimiting
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability network_peer_controls=1
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability open_perms=1
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability extended_socket_class=1
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability always_check_network=0
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability cgroup_seclabel=1
Sep 04 19:33:22 silverblue-t580 kernel: SELinux:  policy capability nnp_nosuid_transition=1
Sep 04 19:33:22 silverblue-t580 systemd[1]: Successfully loaded SELinux policy in 423.861ms.
Sep 04 19:33:22 silverblue-t580 systemd[1]: Unable to fix SELinux security context of /run/tmpfiles.d/kmod.conf: Invalid argument
Sep 04 19:33:22 silverblue-t580 systemd[1]: Relabelled /dev, /dev/shm, /run, /sys/fs/cgroup in 20.181ms.
Sep 04 19:33:22 silverblue-t580 systemd[1]: systemd v241-10.git511646b.fc30 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid)

then some sections like the following, where it says that it failed to load kernel modules:

Sep 04 19:33:23 silverblue-t580 systemd-modules-load[910]: Failed to lookup module alias 'fuse': Function not implemented
Sep 04 19:33:23 silverblue-t580 audit[910]: AVC avc:  denied  { read } for  pid=910 comm="systemd-modules" name="modules.softdep" dev="dm-1" ino=2405526 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Sep 04 19:33:23 silverblue-t580 audit[910]: AVC avc:  denied  { read } for  pid=910 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=2510507 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Sep 04 19:33:23 silverblue-t580 audit[910]: AVC avc:  denied  { read } for  pid=910 comm="systemd-modules" name="modules.dep.bin" dev="dm-1" ino=2510507 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Sep 04 19:33:23 silverblue-t580 audit[910]: AVC avc:  denied  { read } for  pid=910 comm="systemd-modules" name="modules.alias.bin" dev="dm-1" ino=2393984 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:modules_dep_t:s0 tclass=file permissive=0
Sep 04 19:33:23 silverblue-t580 systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE
Sep 04 19:33:23 silverblue-t580 systemd[1]: systemd-modules-load.service: Failed with result 'exit-code'.
Sep 04 19:33:23 silverblue-t580 systemd[1]: Failed to start Load Kernel Modules.

then later:

Sep 04 19:33:26 silverblue-t580 audit[1137]: AVC avc:  denied  { execute } for  pid=1137 comm="firewalld" name="kmod" dev="dm-1" ino=2359947 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:kmod_exec_t:s0"
Sep 04 19:33:26 silverblue-t580 firewalld[1003]: ERROR: Failed to load nf_conntrack module:
Sep 04 19:33:26 silverblue-t580 firewalld[1003]: ERROR: Raising SystemExit in run_server
Comment 20 Lukas Vrabec 2019-09-06 15:54:02 UTC 
Hi Gerrard, 

I tried the latest version of selinux-policy for Fedora 30. 

# rpm -q selinux-policy                                        
selinux-policy-3.14.3-45.fc30.noarch

# audit2allow -i avc    


#============= systemd_modules_load_t ==============

#!!!! This avc is allowed in the current policy
allow systemd_modules_load_t modules_dep_t:file read;


Related to your latest SELinux denial: 


Sep 04 19:33:26 silverblue-t580 audit[1137]: AVC avc:  denied  { execute } for  pid=1137 comm="firewalld" name="kmod" dev="dm-1" ino=2359947 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:kmod_exec_t:s0"

This looks like mislabeled system. 

Please run:
# restorecon -Rv / 

To fix labels on your system. 

Thanks,
Lukas
Comment 21 Gerard Ryan 2019-09-07 14:02:48 UTC 
Hi Lukas,

Thanks for the reply. I apparently can't run `restorecone -Rv /` since I'm on a Silverblue system (see earlier comments in this bug for where that didn't go well).

Given that nobody else seems to see these problems that I do, I presume this is something specific to my system, is it?

I can try doing a clean install, but it'll be a while before I've got time to do that, since this is my work machine.

Thanks,
Gerard.
Comment 22 Fedora Update System 2019-10-23 07:00:29 UTC 
FEDORA-2019-d68c9e27f8 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 23 Fedora Update System 2019-10-25 19:34:03 UTC 
selinux-policy-3.14.3-50.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-d68c9e27f8
Comment 24 Fedora Update System 2019-10-26 17:02:52 UTC 
FEDORA-2019-f83217e2bf has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 25 Fedora Update System 2019-10-27 03:54:49 UTC 
selinux-policy-3.14.3-51.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-f83217e2bf
Comment 26 Gerard Ryan 2019-10-27 22:24:04 UTC 
I've moved on to F31 now, so I don't have the ability to check if the new update fixes this on F30. The good news is that on a fresh F31 Silverblue install with selinux-policy-3.14.4-37.fc31.noarch I don't see the issue.

Thanks!
Gerard.
Comment 27 Fedora Update System 2019-11-03 14:10:52 UTC 
FEDORA-2019-70d80ad4bc has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 28 Fedora Update System 2019-11-04 02:10:16 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-70d80ad4bc
Comment 29 Fedora Update System 2019-11-17 01:13:16 UTC 
selinux-policy-3.14.3-52.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.