Description of problem:
During early boot:
Aug 20 09:11:14 localhost.localdomain systemd: Successfully loaded SELinux policy in 544.018ms.
Aug 20 09:11:14 localhost.localdomain systemd: Failed to insert module 'ip_tables': Operation not permitted
Aug 20 09:11:14 localhost.localdomain systemd: Relabelled /dev, /run and /sys/fs/cgroup in 49.266ms.
Aug 20 09:11:14 localhost.localdomain systemd: systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)
Version-Release number of selected component (if applicable):
Every boot on this VM.
No error messages on successful and normal boot.
This looks like some kind of a race condition, but I'm not able to pinpoint the exact cause. It's definitely caused by selinux either not being in a proper state yet, or a wrongly labelled file system.
We call several selinux initializing functions first and then we call kmod_setup(), which tries to insert the module and fails. I don't see any problem with the call sequence. @lvrabec, could you please check if we do everything correctly?
This problem can be worked around by putting selinux to permissive or simply modprobing the module after boot. Also, there are no avcs. At least I can't see any when using ausearch -m avc, which is further indicative of selinux being in an improper state.
This actually looks like a duplicate of #1743758, which contains a fix for selinux-policy. I'll keep this one open for now.
You meant BZ#1644805, right?
We have this issue covered here:
Some fixes still needs to be added to RHEL-8.2 but workaround is easy:
# cat extra.cil
( allow init_t init_t ( capability ( sys_module )))
# semodule -i extra.cil
This could be closed, it's selinux-policy issue.
Yes, I meant #1644805, sorry. Thank you!