Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When "secure_mode_insmod" is enabled, which is the case when applying the ANSSI SCAP profile "xccdf_org.ssgproject.content_profile_anssi_bp28_high", the system fails to boot and enters Emergency mode due to systemd not being able to mount "/boot/efi" ("vfat") and/or "/var/lib/nfs/rpc_pipefs" ("rpc_pipefs"):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# journalctl -b -u boot-efi.mount -u var-lib-nfs-rpc_pipefs.moun
-- Logs begin at Mon 2022-02-21 13:37:20 CET, end at Mon 2022-02-21 13:39:16 CET. --
Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting /boot/efi...
Feb 21 13:37:22 vm-uefi8 mount[784]: mount: /boot/efi: unknown filesystem type 'vfat'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32
Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Failed with result 'exit-code'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount /boot/efi.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting RPC Pipe File System...
Feb 21 13:37:22 vm-uefi8 mount[849]: mount: /var/lib/nfs/rpc_pipefs: unknown filesystem type 'rpc_pipefs'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Mount process exited, code=exited status=32
Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Failed with result 'exit-code'.
Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount RPC Pipe File System.
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
The reason for this is there is no rule to allow **kmod_t** to load modules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# sesearch -A -c capability -p sys_module | grep -v "secure_mode_insmod"
allow iscsid_t iscsid_t:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_module sys_nice sys_resource };
allow minissdpd_t minissdpd_t:capability { net_admin sys_module };
allow openvswitch_t openvswitch_t:capability { audit_write chown dac_override dac_read_search fowner ipc_lock kill mknod net_admin net_broadcast setgid setpcap setuid sys_module sys_nice sys_rawio sys_resource };
allow vmware_host_t vmware_host_t:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config };
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
IMHO we need an exception for **kmod_t** to load modules, something like this:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# cat kmod_load_modules.cil
(allow kmod_t self (capability (sys_module)))
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
If such solution is not acceptable, then we need some other mechanism to be implemented, in particular for "/boot/efi" which is critical on UEFI systems.
Version-Release number of selected component (if applicable):
selinux-policy on RHEL8
How reproducible:
Always
Steps to Reproduce:
1. On UEFI, nothing special to do, on Legacy, install "nfs-utils" package
# yum -y install nfs-utils
2. Enable "secure_mode_insmod"
# setsebool -P secure_mode_insmod on
3. Reboot
Actual results:
Emergency prompt (on UEFI due to /boot/efi)
Failure starting var-lib-nfs-rpc_pipefs.mount
Expected results:
No issue
Additional info:
A workaround is to have the modules be preloaded in the initramfs, through creating a "/etc/modules-load.d/" configuration file and rebuilding all initramfs files:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
# echo "vfat" > /etc/modules-load.d/vfat.conf
# dracut -f --regenerate-all
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----
Description of problem: When "secure_mode_insmod" is enabled, which is the case when applying the ANSSI SCAP profile "xccdf_org.ssgproject.content_profile_anssi_bp28_high", the system fails to boot and enters Emergency mode due to systemd not being able to mount "/boot/efi" ("vfat") and/or "/var/lib/nfs/rpc_pipefs" ("rpc_pipefs"): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- # journalctl -b -u boot-efi.mount -u var-lib-nfs-rpc_pipefs.moun -- Logs begin at Mon 2022-02-21 13:37:20 CET, end at Mon 2022-02-21 13:39:16 CET. -- Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting /boot/efi... Feb 21 13:37:22 vm-uefi8 mount[784]: mount: /boot/efi: unknown filesystem type 'vfat'. Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32 Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Failed with result 'exit-code'. Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount /boot/efi. Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting RPC Pipe File System... Feb 21 13:37:22 vm-uefi8 mount[849]: mount: /var/lib/nfs/rpc_pipefs: unknown filesystem type 'rpc_pipefs'. Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Mount process exited, code=exited status=32 Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Failed with result 'exit-code'. Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount RPC Pipe File System. -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- The reason for this is there is no rule to allow **kmod_t** to load modules: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # sesearch -A -c capability -p sys_module | grep -v "secure_mode_insmod" allow iscsid_t iscsid_t:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_module sys_nice sys_resource }; allow minissdpd_t minissdpd_t:capability { net_admin sys_module }; allow openvswitch_t openvswitch_t:capability { audit_write chown dac_override dac_read_search fowner ipc_lock kill mknod net_admin net_broadcast setgid setpcap setuid sys_module sys_nice sys_rawio sys_resource }; allow vmware_host_t vmware_host_t:capability { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }; -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- IMHO we need an exception for **kmod_t** to load modules, something like this: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # cat kmod_load_modules.cil (allow kmod_t self (capability (sys_module))) -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- If such solution is not acceptable, then we need some other mechanism to be implemented, in particular for "/boot/efi" which is critical on UEFI systems. Version-Release number of selected component (if applicable): selinux-policy on RHEL8 How reproducible: Always Steps to Reproduce: 1. On UEFI, nothing special to do, on Legacy, install "nfs-utils" package # yum -y install nfs-utils 2. Enable "secure_mode_insmod" # setsebool -P secure_mode_insmod on 3. Reboot Actual results: Emergency prompt (on UEFI due to /boot/efi) Failure starting var-lib-nfs-rpc_pipefs.mount Expected results: No issue Additional info: A workaround is to have the modules be preloaded in the initramfs, through creating a "/etc/modules-load.d/" configuration file and rebuilding all initramfs files: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ---- # echo "vfat" > /etc/modules-load.d/vfat.conf # dracut -f --regenerate-all -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----