# Capabilities module fails to load

## SAngeli

Hi,

I run Gentoo 2.6.12-gentoo-r6 on amd64. 

I have this settings in the kernel for  the following:

```
#

# Security options

#

# CONFIG_KEYS is not set

CONFIG_SECURITY=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_CAPABILITIES=m

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set

CONFIG_SECURITY_SELINUX=y

# CONFIG_SECURITY_SELINUX_BOOTPARAM is not set

# CONFIG_SECURITY_SELINUX_DISABLE is not set

CONFIG_SECURITY_SELINUX_DEVELOP=y

CONFIG_SECURITY_SELINUX_AVC_STATS=y

CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE=1
```

/etc/modules.autoload.d/kernel-2.6

```
nvidia

capability

realtime
```

lsmod

```
Module                  Size  Used by

visor                  19788  0

usbserial              28656  1 visor

it87                   27232  0

i2c_sensor              3136  1 it87

i2c_isa                 2432  0

i2c_core               19928  3 it87,i2c_sensor,i2c_isa

snd_seq_midi            7488  0

snd_emu10k1_synth       7232  0

snd_emux_synth         34240  1 snd_emu10k1_synth

snd_seq_virmidi         6656  1 snd_emux_synth

snd_seq_midi_event      7232  2 snd_seq_midi,snd_seq_virmidi

snd_seq_midi_emul       7808  1 snd_emux_synth

snd_seq                54656  5 snd_seq_midi,snd_emux_synth,snd_seq_virmidi,snd_seq_midi_event,snd_seq_midi_emul

skge                   34256  0

snd_emu10k1           113060  4 snd_emu10k1_synth

snd_rawmidi            22080  3 snd_seq_midi,snd_seq_virmidi,snd_emu10k1

snd_seq_device          7952  5 snd_seq_midi,snd_emu10k1_synth,snd_seq,snd_emu10k1,snd_rawmidi

snd_ac97_codec         87640  1 snd_emu10k1

snd_pcm                87884  4 snd_emu10k1,snd_ac97_codec

snd_timer              22472  3 snd_seq,snd_emu10k1,snd_pcm

snd_page_alloc          8584  2 snd_emu10k1,snd_pcm

snd_util_mem            3968  2 snd_emux_synth,snd_emu10k1

snd_hwdep               8480  2 snd_emux_synth,snd_emu10k1

snd                    47928  14 snd_emux_synth,snd_seq_virmidi,snd_seq,snd_emu10k1,snd_rawmidi,snd_seq_device,snd_ac97_codec,snd_pcm,snd_timer,snd_hwdep

evdev                   8448  0

realtime                9608  0

nvidia               4049468  12
```

This is the error I get when Gentoo boots up:

dmesg | grep capabilities

Failure registering capabilities with primary security module.

If I try to manually load this module, I get this error:

# modprobe capability

FATAL: Error inserting capability (/lib/modules/2.6.12-gentoo-r6/kernel/security/capability.ko): Invalid argument

How come this module used to work before I upgraded from kernel 2.6.11 to 2.6.12 and now it fails to start?

Please let me know if you have an advice.

thank you,

Spiro

----------

## kybber

I am getting the exact same error:

```
root>modprobe capability   

insmod /lib/modules/2.6.12-gentoo-r6/kernel/security/capability.ko 

FATAL: Error inserting capability (/lib/modules/2.6.12-gentoo-r6/kernel/security/capability.ko): Invalid argument

root>grep SECURITY .config

# CONFIG_EXT3_FS_SECURITY is not set

CONFIG_SECURITY=y

# CONFIG_SECURITY_NETWORK is not set

CONFIG_SECURITY_CAPABILITIES=m

# CONFIG_SECURITY_ROOTPLUG is not set

# CONFIG_SECURITY_SECLVL is not set

# CONFIG_SECURITY_SELINUX is not set

```

Compiling capability into the kernel seems to work, but then I can't use rlocate. 

Does anyone have a clue as to how this can be solved?

----------

## Palhoto

I've been getting the same error for quite some time, at least from 2.6.7, if I'm not mistaken. I'm using 2.6.12-gentoo-r10 at the moment.

To get Jack to work with capabilities I have been patching 2.6 kernels as they were 2.4 in the include/linux/capability.h file.

----------

## tecknojunky

 *Palhoto wrote:*   

> I'm using 2.6.12-gentoo-r10 at the moment.

 

Same kernel, same error.

----------

## bandreabis

 *kybber wrote:*   

> I am getting the exact same error:
> 
> ```
> root>modprobe capability   
> 
> ...

 

Same error with me:

rlocate fails to load (and also fbsplash) if building (buildin-in!) CONFIG_SECURITY_CAPABILITIES

Immediately unbuilt it and restored fbsplash.. I'd need it to use klamav's auto-scan (needing dazuko and beeing unable to use or even emerge it).

I'll watch this Topic waiting for help.

Bye bye

Andrea

----------

## ocZer

I was able to emerge dazuko 2.10 on kernel 2.6.13-r3, but I get the same error when i modprobe, both dazuko and capabilities. If any body finds a solution to this plz. post here.

----------

## Boohbah

Same problem here.

----------

## [clu]

anyone find out solution ?

----------

## bandreabis

Not me.   :Sad: 

----------

## bushvin

modprobe capability 

does work for me

```

maul ~ # lsmod |grep capability

capability              3208  0

commoncap               5120  1 capability

```

but modprobe dazuko results in this:

```

maul ~ # modprobe dazuko

FATAL: Error inserting dazuko (/lib/modules/2.6.13-gentoo-r5/misc/dazuko.ko): Invalid argument

```

dmesg only registers: "dazuko: failed to register"

My kernel version is 2.6.13-gentoo-r5

Will.

----------

## kybber

```
root>uname -r

2.6.14-gentoo-r4

root>modprobe rlocate 

root>modprobe capability 

FATAL: Error inserting capability (/lib/modules/2.6.14-gentoo-r4/kernel/security/capability.ko): Invalid argument

root>rmmod rlocate

root>modprobe capability 

root>modprobe rlocate

FATAL: Error inserting rlocate (/lib/modules/2.6.14-gentoo-r4/misc/rlocate.ko): Invalid argument

```

capability works, but capability and rlocate are co-exclusive. 

I prefer using rlocate, but would really really like to use capability too so that ntpd would start working again.

----------

## Draconite

bump, same error. If I unload dazuko I can load capability, and if i unload capability, I can load dazuko, but in no combination can I have both loaded at the same time. I've heard you're supposed to load dazuko first then capabilities, and I've tried that, but it still won't inject capability

----------

## Braempje

I'm experiencing the same problem and it does not seem very nice. I'm trying to use rlocate and dropping ownership in ntp. 

Well, it turns out you can't use multiple first "level" security modules together. Most probably what you are getting are also multiple first security modules. More information can be found here. I guess this is unsolvable for us, unless someone is a really good kernel hacker...

----------

## Kelofander

I've the same problem...

...if anytime anybody solve that problem, please post here

Thanks a lot...

It seems so, that the newest version has some problems:

https://forums.gentoo.org//viewtopic-p-3371367.html#3371367

----------

## sageman

The solution right now is basically don't use rlocate if you want the default linux capabilities, they are completely uncompatible. As it says on the rlocate page, http://rlocate.sourceforge.net/ rlocate doesn't yet support it (that's why it's a beta and why it's masked), or rather the linux kernel does not yet support stacking of "security" modules.

Of course, if you need the capabilities module, you could always rmmod rlocate and stop the rlocate daemon while using it. Or just use slocate and not get up-to-the-second filesystem search databases, which may not be necessary for you. If you do need to find a recent file, you can always use find, and go get a coffee or something  :Smile: . That way, you still have the "capabilities" loaded.

Personally, I like rlocate. This should be fixed in the (far?) future, but it's really a kernel issue, because rlocate acts a "security" module and the current rev of the kernel does not (supposedly) allow for easy stacking of different security modules.

----------

## Xanadu

I can't get the capability modules to load (2.6.17-suspend2-r6 kernel).  I'm trying to get ahavi to run and it needs that running.  That runs fine if I compile compatibility into the kernel.  I also use rlocate which, as everyone here has found, needs it as a module.  

A catch-22...  :Sad: 

If anyone runs across a solution, please bump this up again.  The last post was in July, and here it is half-way through September and still the issue exists.

Thanx,

M.

P.S.

I'd much rather have rlocate working than avahi as avahi is more of a test than "production" need.  So if bagging the use of avahi is the temporary solution, than that is no big deal since that's what I've pretty much done anyway.

----------

## brahm

well, I tried upgrading to kerner 2.6.18-gentoo-r1 . rlocate installed successfully   :Laughing: 

----------

## unaos

anybody able to load capability as module ?

----------

## Xanadu

(WOW!  I can't believe I'm gonna do this...)

Over a year later and this is still an issue.  I was trying to load the capability module today only to get the usual "Failure registering capabilities with primary security module" error.  It really stinks that this isn't solved yet (or I wish I was a code-ist...).  Last year I had said above that I was trying to use avahi.  I've since bagged that route, but I do still use rlocate.  

P.S.

It's funny when you run across your own post when looking for help!  I had totally forgot that I had posed about this last year. :Laughing: 

----------

## cyberpatrol

 *sageman wrote:*   

> Or just use slocate and not get up-to-the-second filesystem search databases, which may not be necessary for you.

 

Well, this thread and this posting is pretty old but you can get an up-to-the-second filesystem search database also with slocate.

Just add this line to .bashrc:

```
alias locate='updatedb && locate'
```

Ok, it's only a workaround and much slower than rlocate but it's still much faster than find. At least I'm quite happy with it and don't miss rlocate anymore. And another side effect is that you have saved a few system resources.

But I have another problem. I compiled capability as a module and installed realtime-lsm.

In /etc/modules.autoload.d/kernel-2.6 I've inserted capability and realtime at the first and the second line.

At boot time the module realtime is loaded but I'm getting the message "failed to load capability".

Is the module capability really necessary for realtime-lsm or must capability be compiled into the kernel?

----------

