On 06/27/2018 03:46 AM, Paul Moore wrote: > On Tue, Jun 26, 2018 at 10:40 AM Daniel Jurgens <danielj@xxxxxxxxxxxx> wrote: >> On 6/26/2018 3:04 AM, Vasiliy Tolstov wrote: >>> вт, 26 июн. 2018 г. в 5:26, Jason Gunthorpe <jgg@xxxxxxxxxxxx>: >>>> On Tue, Jun 26, 2018 at 03:24:00AM +0300, Vasiliy Tolstov wrote: >>>>> I'm debug this and i think that this is selinux problem, after i set >>>>> permissive selinux i have: >>>>> type=AVC msg=audit(1529969961.770:111): avc: denied { access } for >>>>> pid=932 comm="systemd-network" pkey=0xffff subnet_prefix=0:0:0:80fe:: >>>>> scontext=system_u:system_r:systemd_modules_load_t:s0 >>>>> tcontext=system_u:object_r:unlabeled_t:s0 tclass=infiniband_pkey >>>>> permissive=0 >> >> The upstream refpolicy doesn't define systemd_modules_load_t, I think this will require an update to the fedora selinux policy to allow access to unlabeled pkeys for that type. I've added Paul Moore, hopefully he knows how to make that happen. > > Hello, > > I've added Lukas Vrabec to the To/CC line on this email, he maintains > the Fedora/RHEL SELinux policy and would be the person who could get > this into Fedora. When in doubt you can always file a BZ against > Fedora: > > * https://bugzilla.redhat.com > >>>> It shouldn't hang, that seems like some other kind of bug.. > > The hang may be due to the fact that the system is running in SELinux > enforcing mode and the policy is setup to deny the access that is > being requested. You can try booting the system in permissive mode, I > expect that will fix your problem. > > You can put your system in permissive mode by ensuring the following > entry is set in /etc/selinux/config and rebooting your system: > > # grep "^SELINUX=" /etc/selinux/config > SELINUX=permissive > Hi All, Please test your scenario with SELinux in PERMISSIVE mode, find for the SELinux denials: # ausearch -m AVC -ts recent And send me please output of the command above. Lukas. >>>> And it shouldn't print the subnet prefx in the wrong endian-ness >>>> (subnet_prefix=0:0:0:80fe::) >> This is a bug. > > Who wants to send me a patch? ;) > -- Lukas Vrabec Software Engineer, Security Technologies Red Hat, Inc.
Attachment:
signature.asc
Description: OpenPGP digital signature