Bug 541217

Summary: SELinux is preventing /usr/sbin/modem-manager "sys_admin" access.
Product: [Fedora] Fedora Reporter: ishan <slishan>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dcbw, dwalsh, mgrepl, mike
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:722b6382e0e8a4bc3cce9c98f14c3347347c4d33e42b114ab28258ab7840dc43
Fixed In Version: selinux-policy-3.6.32-120.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-07 22:46:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description ishan 2009-11-25 09:33:19 UTC 
Summary:

SELinux is preventing /usr/sbin/modem-manager "sys_admin" access.

Detailed Description:

SELinux denied access requested by modem-manager. It is not expected that this
access is required by modem-manager and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                system_u:system_r:modemmanager_t:s0-s0:c0.c1023
Target Context                system_u:system_r:modemmanager_t:s0-s0:c0.c1023
Target Objects                None [ capability ]
Source                        modem-manager
Source Path                   /usr/sbin/modem-manager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ModemManager-0.2-3.20090826.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-46.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686
                              #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686
Alert Count                   6
First Seen                    Tue 24 Nov 2009 08:06:57 PM IST
Last Seen                     Wed 25 Nov 2009 02:57:09 PM IST
Local ID                      c94f656c-1635-49b1-8823-aae2d2c0c985
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1259141229.68:8): avc:  denied  { sys_admin } for  pid=1422 comm="modem-manager" capability=21 scontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tclass=capability

node=(removed) type=SYSCALL msg=audit(1259141229.68:8): arch=40000003 syscall=5 success=no exit=-19 a0=91b30c0 a1=982 a2=80633e0 a3=91b5198 items=0 ppid=1 pid=1422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modem-manager" exe="/usr/sbin/modem-manager" subj=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-46.fc12,catchall,modem-manager,modemmanager_t,modemmanager_t,capability,sys_admin
audit2allow suggests:

#============= modemmanager_t ==============
allow modemmanager_t self:capability sys_admin;
Comment 1 Daniel Walsh 2009-11-25 11:14:45 UTC 
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.6.32-50.fc12.noarch
Comment 2 Dan Williams 2009-11-30 18:14:10 UTC 
What is sys_admin?  Seems a bit coarse as a context.
Comment 3 Daniel Walsh 2009-11-30 19:46:11 UTC 
sys_admin is the catchall capability.  Not really an SELinux thing.

    * Allow configuration of the secure attention key
    * Allow administration of the random device
    * Allow examination and configuration of disk quotas
    * Allow configuring the kernel's syslog (printk behaviour)
    * Allow setting the domainname
    * Allow setting the hostname
    * Allow calling bdflush()
    * Allow mount() and umount(), setting up new smb connection
    * Allow some autofs root ioctls
    * Allow nfsservctl
    * Allow VM86_REQUEST_IRQ
    * Allow to read/write pci config on alpha
    * Allow irix_prctl on mips (setstacksize)
    * Allow flushing all cache on m68k (sys_cacheflush)
    * Allow removing semaphores (Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory)
    * Allow locking/unlocking of shared memory segment
    * Allow turning swap on/off
    * Allow forged pids on socket credentials passing
    * Allow setting readahead and flushing buffers on block devices
    * Allow setting geometry in floppy driver
    * Allow turning DMA on/off in xd driver
    * Allow administration of md devices (mostly the above, but some extra ioctls)
    * Allow tuning the ide driver
    * Allow access to the nvram device
    * Allow administration of apm_bios, serial and bttv (TV) device
    * Allow manufacturer commands in isdn CAPI support driver
    * Allow reading non-standardized portions of pci configuration space
    * Allow DDI debug ioctl on sbpcd driver
    * Allow setting up serial ports
    * Allow sending raw qic-117 commands
    * Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands
    * Allow setting encryption key on loopback filesystem
    * Allow setting zone reclaim policy
Comment 4 Fedora Update System 2009-12-01 16:52:11 UTC 
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
Comment 5 Fedora Update System 2009-12-03 04:59:15 UTC 
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
Comment 6 Fedora Update System 2009-12-03 20:30:18 UTC 
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
Comment 7 Fedora Update System 2009-12-04 23:48:39 UTC 
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
Comment 8 Fedora Update System 2009-12-08 07:55:20 UTC 
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-08-05 13:21:05 UTC 
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
Comment 10 Fedora Update System 2010-08-20 01:41:15 UTC 
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.