Bug 1996903
| Summary: | SELinux is preventing ModemManager from create access on the qipcrtr_socket labeled modemmanager_t. | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Adam Williamson <awilliam> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 35 | CC: | dwalsh, grepl.miroslav, kparal, lvrabec, mikhail.v.gavrilov, mmalik, omosnace, red, vmojzis, zpytela | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-34.19-2.fc35 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2036582 (view as bug list) | Environment: | ||
| Last Closed: | 2021-09-24 20:20:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
There's also a denial for `getopt` which is otherwise similar:
Additional Information:
Source Context system_u:system_r:modemmanager_t:s0
Target Context system_u:system_r:modemmanager_t:s0
Target Objects Unknown [ qipcrtr_socket ]
Source ModemManager
Source Path ModemManager
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-34.16-1.fc35.noarch
Local Policy RPM selinux-policy-targeted-34.16-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name fedora
Platform Linux fedora 5.14.0-0.rc6.46.fc35.x86_64 #1 SMP
Mon Aug 16 20:02:52 UTC 2021 x86_64 x86_64
Alert Count 1
First Seen 2021-08-23 16:05:50 PDT
Last Seen 2021-08-23 16:05:50 PDT
Local ID bd3abac2-db79-4f77-972d-fdb342ec173a
Raw Audit Messages
type=AVC msg=audit(1629759950.336:165): avc: denied { getopt } for pid=769 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1
Hash: ModemManager,modemmanager_t,modemmanager_t,qipcrtr_socket,getopt
...and `getattr`. Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.937:355) : proctitle=/usr/sbin/ModemManager
type=SYSCALL msg=audit(09/07/2021 15:34:20.937:355) : arch=x86_64 syscall=socket success=yes exit=9 a0=qipcrtr a1=SOCK_DGRAM a2=ip a3=0x10 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(09/07/2021 15:34:20.937:355) : avc: denied { module_request } for pid=3067 comm=ModemManager kmod="net-pf-42" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1
type=AVC msg=audit(09/07/2021 15:34:20.937:355) : avc: denied { create } for pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.956:356) : proctitle=/usr/sbin/ModemManager
type=SYSCALL msg=audit(09/07/2021 15:34:20.956:356) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x9 a1=SOL_SOCKET a2=SO_TYPE a3=0x7fff32a58a64 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(09/07/2021 15:34:20.956:356) : avc: denied { getopt } for pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.956:357) : proctitle=/usr/sbin/ModemManager
type=SOCKADDR msg=audit(09/07/2021 15:34:20.956:357) : saddr={ saddr_fam=qipcrtr (unsupported) }
type=SYSCALL msg=audit(09/07/2021 15:34:20.956:357) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x9 a1=0x7fff32a58a70 a2=0x7fff32a58a60 a3=0x7fff32a58a64 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC msg=audit(09/07/2021 15:34:20.956:357) : avc: denied { getattr } for pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1
----
# rpm -qa selinux\* Modem\* | sort
ModemManager-1.17.900-1.fc35.x86_64
ModemManager-glib-1.17.900-1.fc35.x86_64
selinux-policy-34.16-1.fc35.noarch
selinux-policy-targeted-34.16-1.fc35.noarch
#
*** Bug 2001141 has been marked as a duplicate of this bug. *** *** Bug 2001143 has been marked as a duplicate of this bug. *** *** Bug 2001144 has been marked as a duplicate of this bug. *** *** Bug 2001145 has been marked as a duplicate of this bug. *** *** Bug 2002580 has been marked as a duplicate of this bug. *** Similar problem has been detected: First boot - Immediately after a clean install. hashmarkername: setroubleshoot kernel: 5.14.0-60.fc35.x86_64 package: selinux-policy-targeted-34.16-1.fc35.noarch reason: SELinux is preventing ModemManager from 'create' accesses on the qipcrtr_socket Sconosciuto. type: libreport FEDORA-2021-bcef06e629 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcef06e629 FEDORA-2021-bcef06e629 has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bcef06e629` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcef06e629 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2021-bcef06e629 has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. |
Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects Unknown [ qipcrtr_socket ] Source ModemManager Source Path ModemManager Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.16-1.fc35.noarch Local Policy RPM selinux-policy-targeted-34.16-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name fedora Platform Linux fedora 5.14.0-0.rc6.46.fc35.x86_64 #1 SMP Mon Aug 16 20:02:52 UTC 2021 x86_64 x86_64 Alert Count 2 First Seen 2021-08-23 16:03:55 PDT Last Seen 2021-08-23 16:05:50 PDT Local ID da9e859d-2b6f-4546-a2d7-c224c0810954 Raw Audit Messages type=AVC msg=audit(1629759950.322:163): avc: denied { create } for pid=769 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 Hash: ModemManager,modemmanager_t,modemmanager_t,qipcrtr_socket,create Appears on first boot of a freshly installed Fedora 35 Workstation VM. Reporting manually as sealert/setroubleshoot seem to be broken and show no alerts. Booted with permissive to get system to boot and show all alerts (without permissive, it doesn't make it to gnome-initial-setup).