openQA tests actually caught this: https://openqa.fedoraproject.org/tests/378325 but I did not notice in time to stop the update going stable, sorry :(. That update - selinux-policy-3.14.3-27.fc30 - seems to have broken systemd-modules-load.service . It shows up as 'failed' on boot after the update is installed. The journal shows several AVCs and then the service fails: Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc: denied { read } for pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc: denied { read } for pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:67): avc: denied { read } for pid=623 comm="systemd-modules" name="modules.softdep" dev="dm-0" ino=674728 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:68): avc: denied { read } for pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain kernel: audit: type=1400 audit(1554487215.446:69): avc: denied { read } for pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc: denied { read } for pid=623 comm="systemd-modules" name="modules.dep.bin" dev="dm-0" ino=674687 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain audit[623]: AVC avc: denied { read } for pid=623 comm="systemd-modules" name="modules.alias.bin" dev="dm-0" ino=674714 scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=unconfined_u:object_r:modules_dep_t:s0 tclass=file permissive=0 Apr 05 11:00:15 localhost.localdomain systemd-modules-load[623]: Failed to lookup module alias 'fuse': Function not implemented Apr 05 11:00:15 localhost.localdomain systemd[1]: systemd-modules-load.service: Main process exited, code=exited, status=1/FAILURE Proposing as a Final blocker, as this violates "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present." - https://fedoraproject.org/wiki/Fedora_30_Final_Release_Criteria#System_services
Hmm. tcontext=unconfined_u:object_r:modules_dep_t:s0 looks a bit fishy. On my machine I have: $ ls -Z /usr/lib/modules/5.0.6-300.fc30.x86_64/ system_u:object_r:modules_object_t:s0 bls.conf system_u:object_r:modules_object_t:s0 build@ system_u:object_r:modules_object_t:s0 config system_u:object_r:modules_object_t:s0 extra/ system_u:object_r:modules_object_t:s0 kernel/ unconfined_u:object_r:modules_object_t:s0 modules.alias unconfined_u:object_r:modules_object_t:s0 modules.alias.bin system_u:object_r:modules_object_t:s0 modules.block system_u:object_r:modules_object_t:s0 modules.builtin unconfined_u:object_r:modules_object_t:s0 modules.builtin.bin unconfined_u:object_r:modules_object_t:s0 modules.dep unconfined_u:object_r:modules_object_t:s0 modules.dep.bin unconfined_u:object_r:modules_object_t:s0 modules.devname system_u:object_r:modules_object_t:s0 modules.drm system_u:object_r:modules_object_t:s0 modules.modesetting system_u:object_r:modules_object_t:s0 modules.networking system_u:object_r:modules_object_t:s0 modules.order unconfined_u:object_r:modules_object_t:s0 modules.softdep unconfined_u:object_r:modules_object_t:s0 modules.symbols unconfined_u:object_r:modules_object_t:s0 modules.symbols.bin system_u:object_r:modules_object_t:s0 source@ system_u:object_r:modules_object_t:s0 System.map system_u:object_r:modules_object_t:s0 updates/ system_u:object_r:modules_object_t:s0 vdso/ system_u:object_r:usr_t:s0 vmlinuz* The ones with unconfined_u appear to be stuff created by kernel-install when called from kernel.rpm's %post. The other files are installed directly by rpm. So maybe it's a question of wrong contexts, not missing permissions.
commit 021823926ae7bff86e92ea8d119d5150c0d89a63 Author: Lukas Vrabec <lvrabec> Date: Tue Apr 9 10:27:54 2019 +0200 Allow systemd_modules_load to read modules_dep_t files
selinux-policy-3.14.3-29.fc30 has been submitted as an update to Fedora 30. https://bodhi.fedoraproject.org/updates/FEDORA-2019-7cb094d99a
selinux-policy-3.14.3-29.fc30 has been pushed to the Fedora 30 stable repository. If problems still persist, please make note of it in this bug report.
*** Bug 1699559 has been marked as a duplicate of this bug. ***