RL9 with SELinux blocks kernel module loading

commandline · November 26, 2022, 8:14pm

Hey all, thanks for reading.

Having selected a workstation install with a security profile the system boots with SELinux enabled and “SELinux boolean secure_mod_insmod 1” implying no kernel modules can be loaded.

Despite efforts to read more about how this impacts the OS i can observe some kernel modules do get loaded such as modules loaded thru udev.

Now i’m trying to also have vfat and other modules load but that’s not obviously documented anywhere. I’ve tried adding a file to /usr/lib/modules-load.d/mymodules.conf to no avail, also tried the obvious route such as for /etc/modprobe.d

Is there a document explaining how to load kernel-modules before this boolean is enforced ? That in a manner of speaking since i don’t know if it is actually possible or adequately defined what i’m asking.

label · November 27, 2022, 1:11am

I’ve not dealt with that boolean directly. My guess is that you should unset that boolean, load your modules as you normally would, and rebuild the initramfs. That way the module will be available while that boolean is active. But that is simply an educated guess on how to work with it.

commandline · November 28, 2022, 10:42am

Thanks, that’s what i had in mind yet tried to avoid doing. For now it looks like the only way to actually load modules before selinux prohibits module loading.

commandline · November 28, 2022, 5:04pm

SOLVED, here I share my own clumsy appraoch,

starting from a system with secure_mod_insmod = 0

lsmod | cut -d' ' -f1 | sort > insmod0.list
setsebool -P secure_mod_insmod 1
reboot

{ login as root in rescue mode }

lsmod | cut -d' ' -f1 | sort > insmod1.list
diff insmod0.list insmod1.lst --left-column | grep \< | cut -d' ' -f2 > krnlmods
echo "\" "$( cat krnlmods )" \"" > krnlmods

{ this assumes there is an empty /etc/dracut.conf }

echo "add_drivers+=$( cat krnlmods )" >> /etc/dracut.conf
dracut -f initramfs-`uname -r`.img
reboot

This worked well for me and solved the problem of dracut not adding modules from the command-line (which may be due to my inexperience)

Personally I’d expected there to be another way but adding kernel modules to initramfs, I was unable to find an economical approach in short time.

commandline · April 22, 2023, 3:45pm

an update here, the mention of SOLVED is a false positive, somehow things worked out for a while

commandline · April 22, 2023, 6:26pm

i’ve tried doing so to no avail, so i had to learn more about dracut imho

dracut loads modules from /usr/lib/dracut/modules.d/
to my understanding when running with secure_mode_insmod=1 a dracut module is required to load the kernel modules before the sebool is enforced

trying to do so today has not resulted in success
i had hoped all this could be documented don the rocky wiki pages
willing to help in writing this doc

Topic		Replies	Views
Unable to modprobe irqbypass , kvm, & kvm_amd modules Rocky Linux Help & Support	13	4570	August 25, 2023
Display non-default SELinux booleans? Rocky Linux Help & Support	4	295	August 25, 2023
Can't install zfs on Rocky Linux 9 Rocky Linux Help & Support	5	3396	August 25, 2023
SELinux message Rocky Linux Help & Support	3	683	August 25, 2023
How to install ZFS inside Rockylinux Docker container? Rocky Linux Help & Support	8	1151	August 25, 2023

RL9 with SELinux blocks kernel module loading

starting from a system with secure_mod_insmod = 0

Related topics