2056521 – Critical mounts cannot be performed when "secure_mode_insmod" is enabled

This bug has been migrated to another issue tracking site. It has been closed here and may no longer be being monitored.

If you would like to get updates for this issue, or to participate in it, you may do so at Red Hat Issue Tracker .

Bug 2056521 - Critical mounts cannot be performed when "secure_mode_insmod" is enabled

Summary: Critical mounts cannot be performed when "secure_mode_insmod" is enabled

Keywords:
Status:	CLOSED MIGRATED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.10
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-02-21 12:54 UTC by Renaud Métrich
Modified:	2023-08-17 12:44 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-08-17 12:44:24 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHEL-1461	0	None	None	None	2023-08-17 12:44:24 UTC
Red Hat Issue Tracker	RHELPLAN-112917	0	None	None	None	2022-02-21 13:02:01 UTC

Description Renaud Métrich 2022-02-21 12:54:31 UTC

Description of problem:

When "secure_mode_insmod" is enabled, which is the case when applying the ANSSI SCAP profile "xccdf_org.ssgproject.content_profile_anssi_bp28_high", the system fails to boot and enters Emergency mode due to systemd not being able to mount "/boot/efi" ("vfat") and/or "/var/lib/nfs/rpc_pipefs" ("rpc_pipefs"):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# journalctl -b -u boot-efi.mount -u var-lib-nfs-rpc_pipefs.moun
-- Logs begin at Mon 2022-02-21 13:37:20 CET, end at Mon 2022-02-21 13:39:16 CET. --
Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting /boot/efi...
Feb 21 13:37:22 vm-uefi8 mount[784]: mount: /boot/efi: unknown filesystem type 'vfat'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32
Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Failed with result 'exit-code'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount /boot/efi.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting RPC Pipe File System...
Feb 21 13:37:22 vm-uefi8 mount[849]: mount: /var/lib/nfs/rpc_pipefs: unknown filesystem type 'rpc_pipefs'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Mount process exited, code=exited status=32
Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Failed with result 'exit-code'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount RPC Pipe File System.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The reason for this is there is no rule to allow **kmod_t** to load modules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# sesearch -A -c capability -p sys_module | grep -v "secure_mode_insmod"
allow iscsid_t iscsid_t:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_module sys_nice sys_resource };
allow minissdpd_t minissdpd_t:capability { net_admin sys_module };
allow openvswitch_t openvswitch_t:capability { audit_write chown dac_override dac_read_search fowner ipc_lock kill mknod net_admin net_broadcast setgid setpcap setuid sys_module sys_nice sys_rawio sys_resource };
allow vmware_host_t vmware_host_t:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

IMHO we need an exception for **kmod_t** to load modules, something like this:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# cat kmod_load_modules.cil 
(allow kmod_t self (capability (sys_module)))
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

If such solution is not acceptable, then we need some other mechanism to be implemented, in particular for "/boot/efi" which is critical on UEFI systems.


Version-Release number of selected component (if applicable):

selinux-policy on RHEL8

How reproducible:

Always

Steps to Reproduce:
1. On UEFI, nothing special to do, on Legacy, install "nfs-utils" package

  # yum -y install nfs-utils

2. Enable "secure_mode_insmod"

  # setsebool -P secure_mode_insmod on

3. Reboot

Actual results:

Emergency prompt (on UEFI due to /boot/efi)
Failure starting var-lib-nfs-rpc_pipefs.mount

Expected results:

No issue

Additional info:

A workaround is to have the modules be preloaded in the initramfs, through creating a "/etc/modules-load.d/" configuration file and rebuilding all initramfs files:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# echo "vfat" > /etc/modules-load.d/vfat.conf
# dracut -f --regenerate-all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

Comment 1 Renaud Métrich 2022-02-21 13:04:45 UTC

ANSSI recommendations (in French) : https://www.ssi.gouv.fr/uploads/2016/01/linux_configuration-fr-v1.2.pdf

Note You need to log in before you can comment on or make changes to this bug.