Description of problem: SELinux is preventing systemd-modules from 'getattr' accesses on the soubor /run/modprobe.d/initramfsblacklist.conf. ***** Plugin catchall (100. confidence) suggests ************************** Pokud jste přesvědčeni, že má systemd-modules mít ve výchozím stavu přístup getattr na initramfsblacklist.conf file. Then měli byste tento problém nahlásit jako chybu. Abyste přístup povolili, můžete vygenerovat lokální modul pravidel. Do prozatím tento přístup povolíte příkazy: # ausearch -c 'systemd-modules' --raw | audit2allow -M my-systemdmodules # semodule -X 300 -i my-systemdmodules.pp Additional Information: Source Context system_u:system_r:systemd_modules_load_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects /run/modprobe.d/initramfsblacklist.conf [ file ] Source systemd-modules Source Path systemd-modules Port <Neznámé> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Local Policy RPM selinux-policy-targeted-40.24-1.fc40.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.9.9-200.fc40.x86_64 #1 SMP PREEMPT_DYNAMIC Thu Jul 11 19:29:01 UTC 2024 x86_64 Alert Count 1 First Seen 2024-07-19 21:37:03 CEST Last Seen 2024-07-19 21:37:03 CEST Local ID 46e972e8-9adb-4f5e-b1a9-5973340f8041 Raw Audit Messages type=AVC msg=audit(1721417823.458:352): avc: denied { getattr } for pid=17974 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=81 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 Hash: systemd-modules,systemd_modules_load_t,var_run_t,file,getattr Version-Release number of selected component: selinux-policy-targeted-40.24-1.fc40.noarch Additional info: reporter: libreport-2.17.15 kernel: 6.9.9-200.fc40.x86_64 package: selinux-policy-targeted-40.24-1.fc40.noarch component: selinux-policy hashmarkername: setroubleshoot reason: SELinux is preventing systemd-modules from 'getattr' accesses on the soubor /run/modprobe.d/initramfsblacklist.conf. type: libreport component: selinux-policy
Created attachment 2040022 [details] File: description
Created attachment 2040023 [details] File: os_info
Hello, Do you happen to know which service created the initramfsblacklist.conf file?
*** Bug 2298924 has been marked as a duplicate of this bug. ***
*** Bug 2298947 has been marked as a duplicate of this bug. ***
(In reply to Zdenek Pytela from comment #3) > Hello, > > Do you happen to know which service created the initramfsblacklist.conf file? Hello, unfortunately I don't know who creates the file - I am using default setup on operating system.
Hello, finally found it by content of file - it's created by Nvidia native driver: $ cat /run/modprobe.d/initramfsblacklist.conf blacklist nouveau
Can you try semanage fcontext -a -t modules_conf_t "/run/modprobe\.d(/.*)?" and reboot?
Tried, rebooted and it's now not blocked anymore: $ date; uptime; journalctl | grep initramfsblacklist.conf | grep "čec 23" Út 23. července 2024, 11:25:04 CEST 11:25:04 up 10 min, 4 users, load average: 0,97, 1,05, 0,69 čec 23 06:35:47 anee-pt0 kernel: audit: type=1400 audit(1721709347.812:4): avc: denied { getattr } for pid=1960 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:35:47 anee-pt0 kernel: audit: type=1400 audit(1721709347.813:5): avc: denied { read } for pid=1960 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:35:47 anee-pt0 audit[1960]: AVC avc: denied { getattr } for pid=1960 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:35:47 anee-pt0 audit[1960]: AVC avc: denied { read } for pid=1960 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:40:51 anee-pt0 kernel: audit: type=1400 audit(1721709651.660:4): avc: denied { getattr } for pid=1712 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:40:51 anee-pt0 kernel: audit: type=1400 audit(1721709651.660:5): avc: denied { read } for pid=1712 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:40:51 anee-pt0 audit[1712]: AVC avc: denied { getattr } for pid=1712 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:40:51 anee-pt0 audit[1712]: AVC avc: denied { read } for pid=1712 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:42:04 anee-pt0 kernel: audit: type=1400 audit(1721709724.954:4): avc: denied { getattr } for pid=1602 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:42:04 anee-pt0 kernel: audit: type=1400 audit(1721709724.955:5): avc: denied { read } for pid=1602 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:42:04 anee-pt0 audit[1602]: AVC avc: denied { getattr } for pid=1602 comm="systemd-modules" path="/run/modprobe.d/initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0 čec 23 06:42:04 anee-pt0 audit[1602]: AVC avc: denied { read } for pid=1602 comm="systemd-modules" name="initramfsblacklist.conf" dev="tmpfs" ino=152 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=0
Thank you. You can remove the entry once the PR is backported to F40: semanage fcontext -d -t modules_conf_t "/run/modprobe\.d(/.*)?"
FEDORA-2024-f6d12d5c36 (selinux-policy-40.26-1.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-f6d12d5c36
FEDORA-2024-f6d12d5c36 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-f6d12d5c36` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-f6d12d5c36 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-f6d12d5c36 (selinux-policy-40.26-1.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.