Bug 1676810

Summary: Selinux prevents ModemManager when writing /sys
Product: Red Hat Enterprise Linux 7 Reporter: Akhil John <ajohn>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.6CC: bgalvani, fkrska, lcervako, lrintel, lvrabec, mmalik, plautrba, ssekidde, sukulkar, thaller, vmojzis, zpytela
Target Milestone: rcKeywords: AutoVerified, Bugfix, SELinux, ZStream
Target Release: 7.6Flags: lcervako: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1697868 (view as bug list) Environment:
Last Closed: 2019-08-06 12:52:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1697868    

Description Akhil John 2019-02-13 09:48:50 UTC 
SELinux is preventing /usr/sbin/ModemManager from write access on the
file raw_ip.

*****  Plugin catchall (100. confidence)
suggests   **************************

If you believe that ModemManager should be allowed write access on the
raw_ip file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager
# semodule -i my-ModemManager.pp


Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:object_r:sysfs_t:s0
Target Objects                raw_ip [ file ]
Source                        ModemManager
Source Path                   /usr/sbin/ModemManager
Port                          <Unknown>
Host                          Ajohn.pnq.csb
Source RPM Packages           ModemManager-1.6.10-1.2.el7_6.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     Ajohn.pnq.csb
Platform                      Linux Ajohn.pnq.csb
                              3.10.0-1002.el7.bz1630402.10.x86_64 #1
SMP Tue Feb
                              12 13:48:41 UTC 2019 x86_64 x86_64
Alert Count                   14
First Seen                    2019-02-12 20:17:16 IST
Last Seen                     2019-02-13 12:57:49 IST
Local ID                      b4ce7555-f3dd-47bf-99ab-6677b6073c0d

Raw Audit Messages
type=AVC msg=audit(1550042869.23:7403): avc:  denied  { write }
for  pid=3806 comm="ModemManager" name="raw_ip" dev="sysfs" ino=24577
scontext=system_u:system_r:modemmanager_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1550042869.23:7403): arch=x86_64 syscall=open
success=yes exit=EAGAIN a0=5624b89fd130 a1=241 a2=1b6 a3=24 items=0
ppid=1 pid=3806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager
exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0
key=(null)

Hash: ModemManager,modemmanager_t,sysfs_t,file,write





this is the patch to backport:
https://github.com/fedora-selinux/selinux-policy-contrib/commit/3ffb29c57d3b9496f46cd18f6843a7078f36e1d1
Comment 2 Milos Malik 2019-03-22 16:27:16 UTC 
Based on comment#0, the SELinux denial appeared on RHEL-7.6, but the bug is reported against RHEL-8. Is the mismatch intentional?
Comment 3 Akhil John 2019-03-22 19:56:46 UTC 
Hi Milos,

That was not intentional. RHEL 8 was added by mistake.
Comment 29 errata-xmlrpc 2019-08-06 12:52:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2127