Bug 1743758 - Failed to insert module 'ip_tables': Operation not permitted
Summary: Failed to insert module 'ip_tables': Operation not permitted
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: systemd
Version: 8.0
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 8.0
Assignee: systemd-maint
QA Contact: Frantisek Sumsal
Depends On:
TreeView+ depends on / blocked
Reported: 2019-08-20 15:49 UTC by Orion Poplawski
Modified: 2019-09-05 07:01 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-09-05 07:01:55 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

Description Orion Poplawski 2019-08-20 15:49:44 UTC
Description of problem:

During early boot:

Aug 20 09:11:14 localhost.localdomain systemd[1]: Successfully loaded SELinux policy in 544.018ms.
Aug 20 09:11:14 localhost.localdomain systemd[1]: Failed to insert module 'ip_tables': Operation not permitted
Aug 20 09:11:14 localhost.localdomain systemd[1]: Relabelled /dev, /run and /sys/fs/cgroup in 49.266ms.
Aug 20 09:11:14 localhost.localdomain systemd[1]: systemd 239 running in system mode. (+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy)

Version-Release number of selected component (if applicable):

How reproducible:
Every boot on this VM.

Expected results:
No error messages on successful and normal boot.

Comment 1 Jan Synacek 2019-09-04 09:43:43 UTC
This looks like some kind of a race condition, but I'm not able to pinpoint the exact cause. It's definitely caused by selinux either not being in a proper state yet, or a wrongly labelled file system.


We call several selinux initializing functions first and then we call kmod_setup(), which tries to insert the module and fails. I don't see any problem with the call sequence. @lvrabec, could you please check if we do everything correctly?

This problem can be worked around by putting selinux to permissive or simply modprobing the module after boot. Also, there are no avcs. At least I can't see any when using ausearch -m avc, which is further indicative of selinux being in an improper state.

Comment 2 Jan Synacek 2019-09-04 13:53:41 UTC
This actually looks like a duplicate of #1743758, which contains a fix for selinux-policy. I'll keep this one open for now.

Comment 3 Milos Malik 2019-09-04 14:19:08 UTC
You meant BZ#1644805, right?

Comment 4 Lukas Vrabec 2019-09-04 15:47:09 UTC
Hi Jan, 

We have this issue covered here: 

Some fixes still needs to be added to RHEL-8.2 but workaround is easy: 

# cat extra.cil
( allow init_t init_t ( capability ( sys_module )))
# semodule -i extra.cil

This could be closed, it's selinux-policy issue.


Comment 5 Jan Synacek 2019-09-05 07:01:55 UTC
Yes, I meant #1644805, sorry. Thank you!

Note You need to log in before you can comment on or make changes to this bug.