Description of problem:

When "secure_mode_insmod" is enabled, which is the case when applying the ANSSI SCAP profile "xccdf_org.ssgproject.content_profile_anssi_bp28_high", the system fails to boot and enters Emergency mode due to systemd not being able to mount "/boot/efi" ("vfat") and/or "/var/lib/nfs/rpc_pipefs" ("rpc_pipefs"):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

1. journalctl -b -u boot-efi.mount -u var-lib-nfs-rpc_pipefs.moun
   • Logs begin at Mon 2022-02-21 13:37:20 CET, end at Mon 2022-02-21 13:39:16 CET. –
     Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting /boot/efi...
     Feb 21 13:37:22 vm-uefi8 mount[784]: mount: /boot/efi: unknown filesystem type 'vfat'.
     Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Mount process exited, code=exited status=32
     Feb 21 13:37:22 vm-uefi8 systemd[1]: boot-efi.mount: Failed with result 'exit-code'.
     Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount /boot/efi.
     Feb 21 13:37:22 vm-uefi8 systemd[1]: Mounting RPC Pipe File System...
     Feb 21 13:37:22 vm-uefi8 mount[849]: mount: /var/lib/nfs/rpc_pipefs: unknown filesystem type 'rpc_pipefs'.
     Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Mount process exited, code=exited status=32
     Feb 21 13:37:22 vm-uefi8 systemd[1]: var-lib-nfs-rpc_pipefs.mount: Failed with result 'exit-code'.
     Feb 21 13:37:22 vm-uefi8 systemd[1]: Failed to mount RPC Pipe File System.
     • • • • • • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The reason for this is there is no rule to allow *kmod_t* to load modules:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

1. sesearch -A -c capability -p sys_module | grep -v "secure_mode_insmod"
   allow iscsid_t iscsid_t:capability { dac_read_search ipc_lock net_admin net_raw sys_admin sys_module sys_nice sys_resource }

   ;
   allow minissdpd_t minissdpd_t:capability

   { net_admin sys_module }

   ;
   allow openvswitch_t openvswitch_t:capability

   { audit_write chown dac_override dac_read_search fowner ipc_lock kill mknod net_admin net_broadcast setgid setpcap setuid sys_module sys_nice sys_rawio sys_resource }

   ;
   allow vmware_host_t vmware_host_t:capability

   { audit_control audit_write chown dac_override dac_read_search fowner fsetid ipc_lock ipc_owner kill lease linux_immutable mknod net_admin net_bind_service net_broadcast net_raw setfcap setgid setpcap setuid sys_admin sys_boot sys_chroot sys_module sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config }

   ;

   • • • • • • • 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

IMHO we need an exception for *kmod_t* to load modules, something like this:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

1. cat kmod_load_modules.cil
   (allow kmod_t self (capability (sys_module)))
   • • • • • • • 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

If such solution is not acceptable, then we need some other mechanism to be implemented, in particular for "/boot/efi" which is critical on UEFI systems.

Version-Release number of selected component (if applicable):

selinux-policy on RHEL8

How reproducible:

Always

Steps to Reproduce:
1. On UEFI, nothing special to do, on Legacy, install "nfs-utils" package

1. yum -y install nfs-utils

2. Enable "secure_mode_insmod"

1. setsebool -P secure_mode_insmod on

3. Reboot

Actual results:

Emergency prompt (on UEFI due to /boot/efi)
Failure starting var-lib-nfs-rpc_pipefs.mount

Expected results:

No issue

Additional info:

A workaround is to have the modules be preloaded in the initramfs, through creating a "/etc/modules-load.d/" configuration file and rebuilding all initramfs files:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< ----

1. echo "vfat" > /etc/modules-load.d/vfat.conf
2. dracut -f --regenerate-all
   • • • • • • • 8< ---------------- 8< ---------------- 8< ---------------- 8< ----