Bug 2149946
| Summary: | SELinux is preventing ModemManager from using the 'execmem' accesses on a process. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Patrice ANDRE <mail> |
| Component: | ModemManager | Assignee: | Davide Cavalca <davide> |
| Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 37 | CC: | ahw609, augenauf, dcbw, dev, dwalsh, fedora, kevinleroy, lkundrak, lvrabec, max, me, michael.scheiffler, michal.vesely, mmalik, mrsam, omosnacek, pkoncity, ramonmoraes8080, sanjay.ankur, sbonazzo, scroolik, strasharo2000, vmojzis, vondruch, winq2008, zpytela |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:cc05a8e954c212f834ad04b3e80b872022ce61e9091212242b3941ba56fbaa0d; | ||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Switching the component for ModemManager maintainers to assess. The execmem permission is required for mapping a memory region as executable which is not common and is possibly insecure so it is disabled by default. coredumpctl dump output from a crashed ModemManager instance after the SELinux deny:
Stack trace of thread 6775:
#0 0x00007f4710cace7c __pthread_kill_implementation (libc.so.6 + 0x8ce7c)
#1 0x00007f4710c5caa6 raise (libc.so.6 + 0x3caa6)
#2 0x00007f4710c467fc abort (libc.so.6 + 0x267fc)
#3 0x00007f4710ca10ae __libc_message (libc.so.6 + 0x810ae)
#4 0x00007f4710cb6bbc malloc_printerr (libc.so.6 + 0x96bbc)
#5 0x00007f4710cb7674 unlink_chunk.constprop.0 (libc.so.6 + 0x97674)
#6 0x00007f4710cba2ad _int_malloc (libc.so.6 + 0x9a2ad)
#7 0x00007f4710cbbbb6 __libc_calloc (libc.so.6 + 0x9bbb6)
#8 0x00007f4710f3f5f1 g_malloc0 (libglib-2.0.so.0 + 0x5f5f1)
#9 0x00007f4710f32ee3 g_source_new (libglib-2.0.so.0 + 0x52ee3)
#10 0x00007f4710f375ad g_timeout_source_new_seconds (libglib-2.0.so.0 + 0x575ad)
#11 0x00007f4710f37604 g_timeout_add_seconds_full (libglib-2.0.so.0 + 0x57604)
#12 0x0000562bcd1dfe60 port_serial_queue_process (ModemManager + 0x136e60)
#13 0x00007f4710f374c8 g_timeout_dispatch (libglib-2.0.so.0 + 0x574c8)
#14 0x00007f4710f36cbf g_main_context_dispatch (libglib-2.0.so.0 + 0x56cbf)
#15 0x00007f4710f8c598 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac598)
#16 0x00007f4710f3628f g_main_loop_run (libglib-2.0.so.0 + 0x5628f)
#17 0x0000562bcd1106af main (ModemManager + 0x676af)
#18 0x00007f4710c47510 __libc_start_call_main (libc.so.6 + 0x27510)
#19 0x00007f4710c475c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x275c9)
#20 0x0000562bcd1108d5 _start (ModemManager + 0x678d5)
Stack trace of thread 6779:
#0 0x00007f4710d2476d syscall (libc.so.6 + 0x10476d)
#1 0x00007f4710f884c4 g_cond_wait_until (libglib-2.0.so.0 + 0xa84c4)
#2 0x00007f4710f06451 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x26451)
#3 0x00007f4710f65b4a g_thread_pool_thread_proxy.lto_priv.0 (libglib-2.0.so.0 + 0x85b4a)
#4 0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
#5 0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
#6 0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)
Stack trace of thread 6780:
#0 0x00007f4710d1f05f __poll (libc.so.6 + 0xff05f)
#1 0x00007f4710f8c50d g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac50d)
#2 0x00007f4710f3628f g_main_loop_run (libglib-2.0.so.0 + 0x5628f)
#3 0x00007f471113688a gdbus_shared_thread_func.lto_priv.0 (libgio-2.0.so.0 + 0x11688a)
#4 0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
#5 0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
#6 0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)
Stack trace of thread 6776:
#0 0x00007f4710d1f05f __poll (libc.so.6 + 0xff05f)
#1 0x00007f4710f8c50d g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac50d)
#2 0x00007f4710f33f40 g_main_context_iteration (libglib-2.0.so.0 + 0x53f40)
#3 0x00007f4710f35bd1 glib_worker_main (libglib-2.0.so.0 + 0x55bd1)
#4 0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
#5 0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
#6 0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)
Stack trace of thread 6777:
#0 0x00007f4710d2476d syscall (libc.so.6 + 0x10476d)
#1 0x00007f4710f87e83 g_cond_wait (libglib-2.0.so.0 + 0xa7e83)
#2 0x00007f4710f0647b g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x2647b)
#3 0x00007f4710f6454a g_thread_pool_spawn_thread (libglib-2.0.so.0 + 0x8454a)
#4 0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
#5 0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
#6 0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)
ELF object binary architecture: AMD x86-64
That does not look intentional, but more like a corruption issue.
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component. This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component. SELinux is preventing ModemManager from using the 'execmem' accesses on a process.
***** Plugin allow_execmem (91.4 confidence) suggests *********************
If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue
Additional Information:
Source Context system_u:system_r:modemmanager_t:s0
Target Context system_u:system_r:modemmanager_t:s0
Target Objects Unknown [ process ]
Source ModemManager
Source Path ModemManager
Port <Unbekannt>
Host (removed)
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch
Local Policy RPM selinux-policy-targeted-37.19-1.fc37.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 6.2.2-300.fc37.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Mar 3 16:25:21 UTC 2023 x86_64
x86_64
Last Seen 2023-03-15 14:27:20 CET
Raw Audit Messages
type=AVC msg=audit(1678886840.661:228): avc: denied { execmem } for pid=1667 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0
Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem
*** Bug 2183550 has been marked as a duplicate of this bug. *** *** Bug 2179635 has been marked as a duplicate of this bug. *** *** Bug 2184734 has been marked as a duplicate of this bug. *** *** Bug 2186965 has been marked as a duplicate of this bug. *** *** Bug 2187199 has been marked as a duplicate of this bug. *** *** Bug 2188486 has been marked as a duplicate of this bug. *** *** Bug 2188614 has been marked as a duplicate of this bug. *** *** Bug 2189347 has been marked as a duplicate of this bug. *** *** Bug 2188859 has been marked as a duplicate of this bug. *** *** Bug 2195846 has been marked as a duplicate of this bug. *** *** Bug 2196114 has been marked as a duplicate of this bug. *** *** Bug 2196331 has been marked as a duplicate of this bug. *** *** Bug 2208208 has been marked as a duplicate of this bug. *** *** Bug 2210328 has been marked as a duplicate of this bug. *** *** Bug 2210523 has been marked as a duplicate of this bug. *** *** Bug 2211646 has been marked as a duplicate of this bug. *** *** Bug 2225082 has been marked as a duplicate of this bug. *** *** Bug 2228059 has been marked as a duplicate of this bug. *** |
Description of problem: On the KDE Plasma session opening, I get chaining notifications from SELinux: SELinux is preventing ModemManager from using the execmem access on a process. ***** Plugin allow_execmem (91.4 confidence) suggests ********************* If this issue occurred during normal system operation. Then this alert could be a serious issue and your system could be compromised. Do contact your security administrator and report this issue ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that ModemManager should be allowed execmem access on processes labeled modemmanager_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager # semodule -X 300 -i my-ModemManager.pp Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects Unknown [ process ] Source ModemManager Source Path ModemManager Port <Unknown> Host fedora.home Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name fedora.home Platform Linux fedora.home 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 Alert Count 73 First Seen 2022-12-01 13:16:25 CET Last Seen 2022-12-01 13:19:17 CET Local ID 7aa67b49-87b6-4976-a0b2-4510de85885e Raw Audit Messages type=AVC msg=audit(1669897157.91:1336): avc: denied { execmem } for pid=10837 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0 Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem SELinux is preventing ModemManager from using the 'execmem' accesses on a process. ***** Plugin allow_execmem (91.4 confidence) suggests ********************* If this issue occurred during normal system operation. Then this alert could be a serious issue and your system could be compromised. Do contact your security administrator and report this issue ***** Plugin catchall (9.59 confidence) suggests ************************** If you believe that ModemManager should be allowed execmem access on processes labeled modemmanager_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager # semodule -X 300 -i my-ModemManager.pp Additional Information: Source Context system_u:system_r:modemmanager_t:s0 Target Context system_u:system_r:modemmanager_t:s0 Target Objects Unknown [ process ] Source ModemManager Source Path ModemManager Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Local Policy RPM selinux-policy-targeted-37.15-1.fc37.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 6.0.10-300.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022 x86_64 x86_64 Alert Count 39 First Seen 2022-12-01 13:16:25 CET Last Seen 2022-12-01 13:17:56 CET Local ID 7aa67b49-87b6-4976-a0b2-4510de85885e Raw Audit Messages type=AVC msg=audit(1669897076.570:860): avc: denied { execmem } for pid=8261 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0 Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem Version-Release number of selected component: selinux-policy-targeted-37.15-1.fc37.noarch Additional info: component: selinux-policy reporter: libreport-2.17.4 hashmarkername: setroubleshoot kernel: 6.0.10-300.fc37.x86_64 type: libreport