Open dkhachyan opened 2 years ago
Thanks for the report. It looks like SELinux is blocking this, I'm not sure if it is on purpose or just a slip in the policy. Which FCOS version is this? The version string in your report is not really a valid version, so I can't go back and trace the actual policy package version.
Also, we are in process of rebasing to F35, with our testing
and next
streams already switched.
Can you please check whether the F35 policy also block this? If so, we'll have to forward this report to the policy maintainer and, if they agree, get the fix in F35.
Overall, I'm unsure about this "insmod from container tmpfs" flow versus just placing the build artifacts somewhere under /usr/local/lib/modules
and the let the usual module loading machinery take care of it.
It may also work to chcon --reference=/usr/lib/modules drbd.ko
We did additional research: 34.20210808.3.0 - has problems with SELinux 34.20210919.3.0 - module injection works fine
Unfortunately we could not check F35 because it seems DRBD module does not support linux kernel 5.14.14
Copying or changing SELinux has no effect
Here's the list of everything that changed from 34.20210808.3.0
to 34.20210919.3.0
:
$ rpm-ostree --repo=./ db diff 6b7e18634c32d15efd59b18c0fdc5c26d2e00dbd3afc16965509ba6f1c42c274 6334e11901fba7403600522286d817b520eeb15b66b341b392e0c08ed2576b74
ostree diff commit from: 6b7e18634c32d15efd59b18c0fdc5c26d2e00dbd3afc16965509ba6f1c42c274
ostree diff commit to: 6334e11901fba7403600522286d817b520eeb15b66b341b392e0c08ed2576b74
Upgraded:
audit-libs 3.0.3-1.fc34 -> 3.0.5-1.fc34
bind-libs 32:9.16.19-1.fc34 -> 32:9.16.20-3.fc34
bind-license 32:9.16.19-1.fc34 -> 32:9.16.20-3.fc34
bind-utils 32:9.16.19-1.fc34 -> 32:9.16.20-3.fc34
bsdtar 3.5.1-2.fc34 -> 3.5.2-2.fc34
btrfs-progs 5.13.1-1.fc34 -> 5.14-2.fc34
c-ares 1.17.1-2.fc34 -> 1.17.2-1.fc34
container-selinux 2:2.164.1-1.git563ba3f.fc34 -> 2:2.167.0-1.fc34
containerd 1.5.3-1.fc34 -> 1.5.5-1.fc34
containernetworking-plugins 1.0.0-0.2.rc1.fc34 -> 1.0.0-1.fc34
coreos-installer 0.10.0-1.fc34 -> 0.10.0-2.fc34
coreos-installer-bootinfra 0.10.0-1.fc34 -> 0.10.0-2.fc34
cracklib 2.9.6-25.fc34 -> 2.9.6-27.fc34
crun 0.20.1-1.fc34 -> 1.0-1.fc34
dnsmasq 2.85-3.fc34 -> 2.86-1.fc34
efi-filesystem 5-2.fc34 -> 5-4.fc34
ethtool 2:5.13-1.fc34 -> 2:5.14-1.fc34
fedora-release-common 34-1 -> 34-37
fedora-release-coreos 34-1 -> 34-37
fedora-release-identity-coreos 34-1 -> 34-37
fuse-overlayfs 1.7.0-1.fc34 -> 1.7.1-2.fc34
glib2 2.68.3-1.fc34 -> 2.68.4-1.fc34
json-glib 1.6.2-1.fc34 -> 1.6.6-1.fc34
kernel 5.13.7-200.fc34 -> 5.13.16-200.fc34
kernel-core 5.13.7-200.fc34 -> 5.13.16-200.fc34
kernel-modules 5.13.7-200.fc34 -> 5.13.16-200.fc34
krb5-libs 1.19.1-14.fc34 -> 1.19.2-2.fc34
libarchive 3.5.1-2.fc34 -> 3.5.2-2.fc34
libipa_hbac 2.5.2-1.fc34 -> 2.5.2-2.fc34
libmodulemd 2.13.0-1.fc34 -> 2.13.0-2.fc34
libpwquality 1.4.4-2.fc34 -> 1.4.4-6.fc34
libsmbclient 2:4.14.6-0.fc34 -> 2:4.14.7-0.fc34
libsss_certmap 2.5.2-1.fc34 -> 2.5.2-2.fc34
libsss_idmap 2.5.2-1.fc34 -> 2.5.2-2.fc34
libsss_nss_idmap 2.5.2-1.fc34 -> 2.5.2-2.fc34
libsss_sudo 2.5.2-1.fc34 -> 2.5.2-2.fc34
libuv 1:1.41.0-1.fc34 -> 1:1.42.0-2.fc34
libwbclient 2:4.14.6-0.fc34 -> 2:4.14.7-0.fc34
libxcrypt 4.4.24-1.fc34 -> 4.4.25-1.fc34
linux-firmware 20210716-121.fc34 -> 20210818-122.fc34
linux-firmware-whence 20210716-121.fc34 -> 20210818-122.fc34
moby-engine 20.10.7-1.fc34 -> 20.10.8-1.fc34
mozjs78 78.12.0-1.fc34 -> 78.13.0-1.fc34
nftables 1:0.9.8-2.fc34 -> 1:0.9.8-3.fc34
openssl 1:1.1.1k-1.fc34 -> 1:1.1.1l-1.fc34
openssl-libs 1:1.1.1k-1.fc34 -> 1:1.1.1l-1.fc34
ostree 2021.3-1.fc34 -> 2021.4-2.fc34
ostree-libs 2021.3-1.fc34 -> 2021.4-2.fc34
podman 3:3.2.3-2.fc34 -> 3:3.3.1-1.fc34
podman-plugins 3:3.2.3-2.fc34 -> 3:3.3.1-1.fc34
rpm-ostree 2021.7-1.fc34 -> 2021.10-2.fc34
rpm-ostree-libs 2021.7-1.fc34 -> 2021.10-2.fc34
samba-client-libs 2:4.14.6-0.fc34 -> 2:4.14.7-0.fc34
samba-common 2:4.14.6-0.fc34 -> 2:4.14.7-0.fc34
samba-common-libs 2:4.14.6-0.fc34 -> 2:4.14.7-0.fc34
selinux-policy 34.14-1.fc34 -> 34.19-1.fc34
selinux-policy-targeted 34.14-1.fc34 -> 34.19-1.fc34
shadow-utils 2:4.8.1-8.fc34 -> 2:4.8.1-9.fc34
skopeo 1:1.3.1-1.fc34 -> 1:1.4.1-1.fc34
slirp4netns 1.1.9-1.fc34 -> 1.1.12-2.fc34
sssd-ad 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-client 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-common 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-common-pac 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-ipa 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-krb5 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-krb5-common 2.5.2-1.fc34 -> 2.5.2-2.fc34
sssd-ldap 2.5.2-1.fc34 -> 2.5.2-2.fc34
toolbox 0.0.99.2-1.fc34 -> 0.0.99.2-7.fc34
vim-minimal 2:8.2.3290-1.fc34 -> 2:8.2.3404-1.fc34
Removed:
firewalld-filesystem-0.9.4-1.fc34.noarch
Added:
cracklib-dicts-2.9.6-27.fc34.x86_64
If you want to narrow it down further you can test with some of the builds in between 34.20210808.3.0
and 34.20210919.3.0
.
I've got same problem.
CoreOS 34.20210919.3.0, kernel 5.13.16-200.fc34.x86_64 - drbd module loaded successfully CoreOS 35.20211029.3.0, kernel 5.14.14-300.fc35.x86_64 - drdb module injection error. (selinux related)
@servsav Have you tried the suggestion from https://github.com/coreos/fedora-coreos-tracker/issues/1018#issuecomment-965665248?
Describe the bug Permission denied, when trying to use insmod from privileged container
Reproduction steps Steps to reproduce the behavior:
Expected behavior Kernel module successfully inserted
Actual behavior insmod drbd.ko insmod: ERROR: could not insert module drbd.ko: Permission denied
System details
Additional information Kernel Module injection worked in Fedora Core 33, but we have this issue after upgrade to Fedora Core 34
Build log:
Systemd log: