Bug 1794958
| Summary: | SELinux is preventing ModemManager from using the 'setsched' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matt Fagnani <matt.fagnani> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | dwalsh, grepl.miroslav, lvrabec, plautrba, robatino, rxguy, vmojzis, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:d51ee0da79cf256f3eda3ca844987d37649913edd7cfe7d765280c796c0f9560; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-01-28 08:53:33 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
sudo coredumpctl gdb showed that the ModemManager crashes involved errors like "Failed to set scheduler settings: Permission denied" in frame 1 at ../glib/gmessages.c:3123 in glib2-2.63.4-1.fc32.x86_64 and in frame 3. Those errors might be due to the setsched denials
Core was generated by `/usr/sbin/ModemManager'.
ModemManager-1.10.8-1.fc32.x86_64
Program terminated with signal SIGTRAP, Trace/breakpoint trap.
#0 _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
554 G_BREAKPOINT ();
[Current thread is 1 (Thread 0x7f7affb0f700 (LWP 944))]
(gdb) bt
#0 _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
#1 0x00007f7b009b1e89 in g_log_default_handler
(log_domain=log_domain@entry=0x7f7b009f900e "GLib", log_level=log_level@entry=6, message=message@entry=0x7f7af0001b90 "Failed to set scheduler settings: Permission denied", unused_data=unused_data@entry=0x0) at ../glib/gmessages.c:3123
#2 0x00007f7b009b20bb in g_logv
(log_domain=0x7f7b009f900e "GLib", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7f7affb0ec90) at ../glib/gmessages.c:1350
#3 0x00007f7b009b22a3 in g_log
(log_domain=log_domain@entry=0x7f7b009f900e "GLib", log_level=log_level@entry=G_LOG_LEVEL_ERROR, format=format@entry=0x7f7b00a5ee70 "Failed to set scheduler settings: %s") at ../glib/gmessages.c:1415
#4 0x00007f7b009f752b in linux_pthread_proxy (data=0x55e6a392c060) at ../glib/gthread-posix.c:1238
#5 0x00007f7b0093a432 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6 0x00007f7b00862873 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
I reported the ModemManager crashes with abrt at https://bugzilla.redhat.com/show_bug.cgi?id=1794964
I downgraded to glib2-2.63.3-1.fc32 from koji. No denials or crashes involving ModemManager, accounts-daemon, colord happened on the next 2 boots with glib2-2.63.3-1. I upgraded to glib2-2.63.4-1.fc32, and the denials and crashes started again on the next boot. The accounts-daemon and colord crashes also had the error "Failed to set scheduler settings: Permission denied" in g_logv at ../glib/gmessages.c:1350 in glib2-2.63.4-1. The error message seems to start from frame 4 in linux_pthread_proxy at ../glib/gthread-posix.c:1238 in all the crashes which I reported in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1794964 This section appears to have been added in the commit 8aeca4fa "GThreadPool - Don't inherit thread priorities when creating new threads" included in glib 2.63.4 at https://gitlab.gnome.org/GNOME/glib/commit/8aeca4fa647bfd0f35c4a86b1e6ca6e955519ca5#note_686823 I ran setroubleshoot GUI's suggestions to allow the accesses sudo ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager sudo semodule -X 300 -i my-ModemManager.pp sudo ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon sudo semodule -X 300 -i my-accountsdaemon.pp sudo ausearch -c 'colord' --raw | audit2allow -M my-colord sudo semodule -X 300 -i my-colord.pp No denials or crashes happened when booting after running those commands which added the following rules in the local policy modules. allow modemmanager_t self:process setsched; allow accountsd_t self:capability sys_nice; allow accountsd_t self:process setsched; allow colord_t self:process setsched; I reported the accounts-daemon and colord denials in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1794959 and https://bugzilla.redhat.com/show_bug.cgi?id=1794961 I'm getting this as well. dmesg shows: traps: ModemManager[101330] trap int3 ip:7fe08f63fe05 sp:7fe08e7e5b40 error:0 in libglib-2.0.so.0.6304.0[7fe08f604000+84000] *** This bug has been marked as a duplicate of bug 1795524 *** |
Description of problem: I ran sudo dnf upgrade --refresh on the Rawhide KDE Plasma spin on 2020-1-25. The upgrade included about ~300 rpms including glib2-2.63.4-1.fc32.x86_64, gcc-10.0.1-0.5.fc32.x86_64, sssd-2.2.2-5.fc32.x86_64, annobin-9.01-2.fc32.x86_64, binutils-2.33.1-12.fc32.x86_64, colord-1.4.4-3.fc32.x86_64, elfutils-0.178-8.fc32.x86_64. I rebooted. The plymouth output showed lines like Failed to start ModemManager Failed to start Accounts Service The journal and audit logs had denials of ModemManager using setsched on a process with modemmanager_t possibly itself repeated many times. ModemManager restarted and was sent the trap signal. ModemManager crashed 9 times in total. There were also denials of accounts-daemon using setsched and sysnice followed by accounts-daemon getting the trap signal and crashing once. colord was denied setsched and crashed with the trap signal also. So the denials might be due to a change in a package that ModemManager, accounts-daemon, and colord were all using. glib2-2.63.4-1.fc32.x86_64 is in the traces of the crashing threads of each of them so glib might be involved. I'll submit the other denials and crashes separately and put the links here. The same denials and crashes happened on 2 consecutive boots. SELinux is preventing ModemManager from using the 'setsched' accesses on a process. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that ModemManager should be allowed setsched access on processes labeled modemmanager_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager # semodule -X 300 -i my-ModemManager.pp Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects Unknown [ process ] Source ModemManager Source Path ModemManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.14.5-20.fc32.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.5.0-0.rc6.git3.1.fc32.x86_64 #1 SMP Fri Jan 17 18:29:51 UTC 2020 x86_64 x86_64 Alert Count 28 First Seen 2020-01-25 14:29:52 EST Last Seen 2020-01-25 14:59:42 EST Local ID 7d4d2cff-d364-47e3-8e6c-546d603bd988 Raw Audit Messages type=AVC msg=audit(1579982382.0:371): avc: denied { setsched } for pid=2193 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0 Hash: ModemManager,modemmanager_t,modemmanager_t,process,setsched Version-Release number of selected component: selinux-policy-3.14.5-20.fc32.noarch Additional info: component: selinux-policy reporter: libreport-2.11.3 hashmarkername: setroubleshoot kernel: 5.5.0-0.rc6.git3.1.fc32.x86_64 type: libreport