I created an integrity device using integritysetup, and put the info in /etc/integritytab. A systemd-integritysetup@<name>.service was auto-generated, but failed on boot (and on restart attempts after boot). The issue is that the dm_integrity module wasn't loaded, either automatically or by a service. I put "dm-integrity" in /etc/modules-load.d/integrity.conf, and the device is opened on boot (as expected). I think the module should be loaded by the integritysetup service.
Fix is waiting in https://github.com/systemd/systemd/pull/25764 If possible, please test the PR. Thank you.
I tried that on top of systemd-251.9-587 (from Fedora 37 updates-testing), but it didn't work. Wouldn't it also need to add a Requires=modprobe?
Yeah, I forgot that. Now, it has `Wants=`, instead of `Requires=`. Could you try again? BTW, Lennart asks why the module is not loaded automatically. Could you show the relevant journal logs? Maybe, booting with systemd.log_level=debug kernel command line option provides much relevant logs.
https://github.com/systemd/systemd/pull/25764/
Created attachment 1933139 [details] debug log of a boot where integrity service failed I'm not sure why the systemd path isn't getting the module loaded. If I just run "integritysetup open --allow-discards /dev/vdb storage" after boot, it works (the dm-integrity module is loaded automatically). If I close the device and unload the module, "systemctl restart systemd-integritysetup" still fails. However the systemd service works is somehow not the same? I'm attaching a log with debug enabled.
Hmm... "/usr/lib/systemd/systemd-integritysetup attach storage /dev/vdb - allow-discards" (without the module pre-loaded) also works (module auto-loaded and device opened).
It's an SELinux thing I guess? When set permissive mode AND disable dontaudit, I see this denial when I try to start the service: type=AVC msg=audit(1671223759.214:266): avc: denied { module_request } for pid=1127 comm="systemd-integri" kmod="dm-integrity" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 I'm not sure if that's a case of systemd should do something different or SELinux should allow this - if it's SELinux, feel free to reassign over to selinux-policy.
The systemd upstream PR was "rejected" (the cleanup part was merged, but the patch that would work around the selinux denial was dropped). I'm unsetting "POST". Yeah, this should be fixed in the selinux policy.
Is there anything else needed to get the SELinux policy to allow systemd-integritysetup to get the dm-integrity module loaded? It's kind of useless otherwise.
This message is a reminder that Fedora Linux 37 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '37'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 37 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.
Still a problem in rawhide. Can we get the SELinux policy updated to allow systemd-integritysetup.service to work?
(In reply to Chris Adams from comment #11) > Still a problem in rawhide. Can we get the SELinux policy updated to allow > systemd-integritysetup.service to work? It requires confining the service. Do you have any use case which could be used for testing?
To test, you need an unused block device. In a VM, I just attach an additional drive, making it /dev/vdb in the VM. Then you install the tool, create an integrity device, put it in the integritytab, and reboot. dnf install integritysetup integritysetup format /dev/vdb echo itst /dev/vdb - - >> /etc/integritytab On boot, systemctl will show the systemd-integrityservice failed. Configure SELINUX=permissive and reboot and it works.
This bug appears to have been reported against 'rawhide' during the Fedora Linux 40 development cycle. Changing version to 40.
This message is a reminder that Fedora Linux 40 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora Linux 40 on 2025-05-13. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a 'version' of '40'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, change the 'version' to a later Fedora Linux version. Note that the version field may be hidden. Click the "Show advanced fields" button if you do not see it. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora Linux 40 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora Linux, you are encouraged to change the 'version' to a later version prior to this bug being closed.