RL9 with SELinux blocks kernel module loading

Hey all, thanks for reading.

Having selected a workstation install with a security profile the system boots with SELinux enabled and “SELinux boolean secure_mod_insmod 1” implying no kernel modules can be loaded.

Despite efforts to read more about how this impacts the OS i can observe some kernel modules do get loaded such as modules loaded thru udev.

Now i’m trying to also have vfat and other modules load but that’s not obviously documented anywhere. I’ve tried adding a file to /usr/lib/modules-load.d/mymodules.conf to no avail, also tried the obvious route such as for /etc/modprobe.d

Is there a document explaining how to load kernel-modules before this boolean is enforced ? That in a manner of speaking since i don’t know if it is actually possible or adequately defined what i’m asking.

I’ve not dealt with that boolean directly. My guess is that you should unset that boolean, load your modules as you normally would, and rebuild the initramfs. That way the module will be available while that boolean is active. But that is simply an educated guess on how to work with it.

1 Like

Thanks, that’s what i had in mind yet tried to avoid doing. For now it looks like the only way to actually load modules before selinux prohibits module loading.

SOLVED, here I share my own clumsy appraoch,

starting from a system with secure_mod_insmod = 0

lsmod | cut -d' ' -f1 | sort > insmod0.list
setsebool -P secure_mod_insmod 1

{ login as root in rescue mode }

lsmod | cut -d' ' -f1 | sort > insmod1.list
diff insmod0.list insmod1.lst --left-column | grep \< | cut -d' ' -f2 > krnlmods
echo "\" "$( cat krnlmods )" \"" > krnlmods

{ this assumes there is an empty /etc/dracut.conf }

echo "add_drivers+=$( cat krnlmods )" >> /etc/dracut.conf
dracut -f initramfs-`uname -r`.img

This worked well for me and solved the problem of dracut not adding modules from the command-line (which may be due to my inexperience)

Personally I’d expected there to be another way but adding kernel modules to initramfs, I was unable to find an economical approach in short time.

an update here, the mention of SOLVED is a false positive, somehow things worked out for a while

i’ve tried doing so to no avail, so i had to learn more about dracut imho

dracut loads modules from /usr/lib/dracut/modules.d/
to my understanding when running with secure_mode_insmod=1 a dracut module is required to load the kernel modules before the sebool is enforced

trying to do so today has not resulted in success
i had hoped all this could be documented don the rocky wiki pages
willing to help in writing this doc