Bug 1120152
Summary: | SELinux is preventing /usr/sbin/ModemManager from using the 'dac_override' capabilities. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Matěj Cepl <mcepl> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | unspecified | Docs Contact: | |
Priority: | low | ||
Version: | 7.0 | CC: | mcepl, mmalik |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:ed9196a38fb37d04c46692583dca8aa41f27e63a559d50691d94810542798104 | ||
Fixed In Version: | selinux-policy-3.13.1-7.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-03-05 10:42:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Matěj Cepl
2014-07-16 10:40:19 UTC
Does it happen when selinux-policy >= 3.13 is installed ? Could you add following line to /etc/audit/rules.d/audit.rules and restart audit daemon? -w /etc/shadow -p w From now on, the AVCs will contain more information. (In reply to Milos Malik from comment #2) > Does it happen when selinux-policy >= 3.13 is installed ? That's bad ... I don't have RHEL-7 on my computer anymore, but I probably will have it sometime later this month (with new computer). Keeping the needinfo alive. Actually, I can reproduce it even with Fedora 21: SELinux is preventing /usr/sbin/ModemManager from connectto access on the unix_stream_socket @qmi-proxy. ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to enable cluster mode for daemons. Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean. You can read 'modemmanager_selinux' man page for more details. Do setsebool -P daemons_enable_cluster_mode 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that ModemManager should be allowed connectto access on the @qmi-proxy unix_stream_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep ModemManager /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects @qmi-proxy [ unix_stream_socket ] Source ModemManager Source Path /usr/sbin/ModemManager Port <Unknown> Host wycliff Source RPM Packages ModemManager-1.4.0-1.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-90.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name wycliff Platform Linux wycliff 3.17.1-302.fc21.x86_64 #1 SMP Fri Oct 17 20:05:46 UTC 2014 x86_64 x86_64 Alert Count 1153 First Seen 2014-10-06 20:53:09 CEST Last Seen 2014-10-24 13:56:39 CEST Local ID bad6634e-2940-4e4c-b342-fca770e8e3f1 Raw Audit Messages type=AVC msg=audit(1414151799.918:3443): avc: denied { connectto } for pid=1020 comm="ModemManager" path=00716D692D70726F7879 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=unix_stream_socket permissive=1 type=SYSCALL msg=audit(1414151799.918:3443): arch=x86_64 syscall=connect success=yes exit=0 a0=9 a1=7ffff0bc5e90 a2=c a3=10 items=0 ppid=1 pid=1020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) Hash: ModemManager,modemmanager_t,modemmanager_t,unix_stream_socket,connectto commit 5ba54f3dd852dea537fb6c64fa63af7e2629fb12 Author: Dan Walsh <dwalsh> Date: Sat Oct 25 06:52:23 2014 -0400 Allow modemmanger to connectto itself Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-0458.html |