Bug 2149560
| Summary: | Cannot start cellular connection when SELinux is in Enforcing | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Renaud Métrich <rmetrich> |
| Component: | selinux-policy | Assignee: | Nikola Knazekova <nknazeko> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | low | ||
| Version: | 9.1 | CC: | fpokryvk, lrintel, lvrabec, mmalik, sfaye, sukulkar, till, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-38.1.6-1.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 08:17:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Seems to be already fixed in rhel-9.2.0:
commit fed7d75df41b9c18a60c1d8af21497dcf3878615
Author: Zdenek Pytela <zpytela>
Date: Thu Sep 30 08:27:12 2021 +0200
Allow ModemManager create and use netlink route socket
Resolves: rhbz#2008755
(In reply to Lubomir Rintel from comment #4) > Seems to be already fixed in rhel-9.2.0: It is not as it does not cover nlmsg_write, a PR to add it to selinux-policy is on the way, so will probably added in the next build. > Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs. Anyway I'd like you not to miss this request/inquiry: Do you test new features or code changes with SELinux enforcing? (In reply to Zdenek Pytela from comment #5) > (In reply to Lubomir Rintel from comment #4) > > Seems to be already fixed in rhel-9.2.0: > It is not as it does not cover nlmsg_write, a PR to add it to selinux-policy > is on the way, so will probably added in the next build. Ah, cool. Thanks! > > Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs. > Anyway I'd like you not to miss this request/inquiry: Do you test new > features or code changes with SELinux enforcing? I *think* so, but I'm NEEDINFO-ing Filip who'll know for sure. I did not see any AVCs with selinux-policy-38.1.3-1.el9, but the tests with USB modems are unstable, so maybe it did not even get to use those functions. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2483 |
Description of problem: A customer reported that he cannot initiate any cellular connectin using his Sierra MC7304 device [1] when SELinux is in Enforcing. It appears that multiple AVCs pop up: AVCs on the Netlink socket getting created: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager type=SYSCALL ... : arch=x86_64 syscall=socket success=yes exit=11 a0=netlink a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) type=AVC ... : avc: denied { create } for pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager type=SYSCALL ... : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0xb a1=SOL_SOCKET a2=SO_TYPE a3=0x7fffa20bcf74 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) type=AVC ... : avc: denied { getopt } for pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager type=SOCKADDR ... : saddr={ fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL ... : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0xb a1=0x7fffa20bcf80 a2=0x7fffa20bcf70 a3=0x7fffa20bcf74 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) type=AVC ... : avc: denied { getattr } for pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1 ---- type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager type=SYSCALL ... : arch=x86_64 syscall=sendto success=yes exit=40 a0=0xb a1=0x55725ee9df00 a2=0x28 a3=MSG_NOSIGNAL items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) type=AVC ... : avc: denied { nlmsg_write } for pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Related source code (line 380): -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 374 static gboolean 375 setup_netlink_socket (MMNetlink *self, 376 GError **error) 377 { 378 gint socket_fd; 379 380 socket_fd = socket (AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE); 381 if (socket_fd < 0) { 382 g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED, 383 "Failed to create netlink socket"); 384 return FALSE; 385 } : -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- AVCs when configuring the interface: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager type=PATH ... : item=1 name=/sys/class/net/wwp0s20u3i10/qmi/pass_through inode=23879 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH ... : item=0 name=/sys/class/net/wwp0s20u3i10/qmi/ inode=23875 dev=00:15 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD ... : cwd=/ type=SYSCALL ... : arch=x86_64 syscall=openat success=yes exit=12 a0=0xffffff9c a1=0x55725ee9dcb0 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) type=AVC ... : avc: denied { create } for pid=962 comm=ModemManager name=pass_through scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC ... : avc: denied { add_name } for pid=962 comm=ModemManager name=pass_through scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 type=AVC ... : avc: denied { write } for pid=962 comm=ModemManager name=qmi dev="sysfs" ino=23875 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Related source code (line 829, line 605), in *libqmi*, not *ModemManager* itself: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- 792 static gchar * 793 build_pass_through_sysfs_path (QmiDevice *self) 794 { 795 return g_strdup_printf ("/sys/class/net/%s/qmi/pass_through", self->priv->wwan_iface); 796 } 846 static QmiDeviceExpectedDataFormat 847 common_get_set_expected_data_format (QmiDevice *self, 848 QmiDeviceExpectedDataFormat requested, 849 GError **error) 850 { : 873 pass_through = build_pass_through_sysfs_path (self); 874 875 /* Set operation? */ 876 if (!readonly && !set_expected_data_format (self, raw_ip, pass_through, requested, error)) 877 return QMI_DEVICE_EXPECTED_DATA_FORMAT_UNKNOWN; : 821 static gboolean 822 set_expected_data_format (QmiDevice *self, 823 const gchar *raw_ip_sysfs_path, 824 const gchar *pass_through_sysfs_path, 825 QmiDeviceExpectedDataFormat requested, 826 GError **error) 827 { : 828 if (requested == QMI_DEVICE_EXPECTED_DATA_FORMAT_802_3) { 829 qmi_helpers_write_sysfs_file (pass_through_sysfs_path, "N", NULL); 830 return qmi_helpers_write_sysfs_file (raw_ip_sysfs_path, "N", error); 831 } : 596 gboolean 597 qmi_helpers_write_sysfs_file (const gchar *sysfs_path, 598 const gchar *value, 599 GError **error) 600 { : 605 if (!(f = fopen (sysfs_path, "w"))) { : -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs. [1] https://source.sierrawireless.com/devices/mc-series/mc7304/ Version-Release number of selected component (if applicable): ModemManager-1.18.2-3.el9.x86_64 libqmi-1.30.2-2.el9.x86_64 How reproducible: Always on customer system, cannot reproduce internally due to lack of hardware Steps to Reproduce: 1. Start ModemManager Actual results: AVCs, modem not working Expected results: No AVCs, modem initiating connection