Bug 710292

Summary: setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module
Product: Red Hat Enterprise Linux 6 Reporter: Natxo Asenjo <natxo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: dwalsh, jhunt, ksrot, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-96.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:08:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Natxo Asenjo 2011-06-02 22:18:14 UTC 
Description of problem:

selinux 'panicks' (and made me panick) when laptop resumes from suspended mode.

I read this log: 
Jun  2 19:57:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e

If you run the sealer command, you get a very nasty looking warning that the system has been compromised.

In fact, this is what has happened: this system is a laptop with a builtin broadband modem. I closed the laptop lid, so it suspended. When I reopened its lid, it reactivated and the network devices (wifi, 3g modem, etc) woke up. This is a piece of thelog:

Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 4 of 5 (IP4 Configure Get) complete.
Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) started...
Jun  2 19:57:31 host dhclient: bound to 192.168.0.10 -- renewal in 34580 seconds.
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.1: ttyACM0: USB ACM device
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.3: ttyACM1: USB ACM device
Jun  2 19:57:31 host kernel: cdc_wdm 2-6:1.5: cdc-wdm0: USB WDM device
Jun  2 19:57:31 host kernel: cdc_wdm 2-6:1.6: cdc-wdm1: USB WDM device
Jun  2 19:57:31 host kernel: usb0: register 'cdc_ether' at usb-0000:00:1d.7-6, CDC Ethernet Device, 02:80:37:ec:02:00
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.9: ttyACM2: USB ACM device
Jun  2 19:57:31 host modem-manager: (Ericsson MBM): GSM modem /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6 claimed port usb0
Jun  2 19:57:31 host modem-manager: (ttyACM1) opening serial device...
Jun  2 19:57:31 host modem-manager: (ttyACM2) opening serial device...
Jun  2 19:57:31 host modem-manager: (ttyACM0) opening serial device...
Jun  2 19:57:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e

As you see the message comes right after the wifi nic gets an ip
address. Then the modem driver gets loaded.

I am quite confident the system has not been compromised, although
everything is possible. The firewall is on, no services are running.

Version-Release number of selected component (if applicable):


How reproducible:

I have not seen this behaviour before, grepping the messages log files
shows only this one message

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Natxo Asenjo 2011-06-02 22:29:47 UTC 
I had the laptop suspend again, and again I go the message. So it looks reproducible:

Jun  3 00:23:28 host dhclient: bound to 192.168.0.10 -- renewal in 35854 seconds.
Jun  3 00:23:29 host kernel: usb 2-6: New USB device found, idVendor=413c, idProduct=8147
Jun  3 00:23:29 host kernel: usb 2-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jun  3 00:23:29 host kernel: usb 2-6: Product: Dell Wireless 5530 HSPA Mobile Broadband Minicard Device
Jun  3 00:23:29 host kernel: usb 2-6: Manufacturer: Dell
Jun  3 00:23:29 host kernel: usb 2-6: SerialNumber: 3558620253014030
Jun  3 00:23:29 host kernel: usb 2-6: configuration #1 chosen from 2 choices
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.1: ttyACM0: USB ACM device
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.3: ttyACM1: USB ACM device
Jun  3 00:23:29 host kernel: cdc_wdm 2-6:1.5: cdc-wdm0: USB WDM device
Jun  3 00:23:29 host kernel: cdc_wdm 2-6:1.6: cdc-wdm1: USB WDM device
Jun  3 00:23:29 host kernel: usb0: register 'cdc_ether' at usb-0000:00:1d.7-6, CDC Ethernet Device, 02:80:37:ec:02:00
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.9: ttyACM2: USB ACM device
Jun  3 00:23:29 host modem-manager: (ttyACM1) opening serial device...
Jun  3 00:23:29 host modem-manager: (ttyACM2) opening serial device...
Jun  3 00:23:29 host modem-manager: (ttyACM0) opening serial device...
Jun  3 00:23:29 host modem-manager: (Ericsson MBM): GSM modem /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6 claimed port usb0
Jun  3 00:23:29 host NetworkManager[1529]: <info> (wlan0): device state change: 7 -> 8 (reason 0)
Jun  3 00:23:29 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:29 host NetworkManager[1529]: <info> Activation (wlan0) successful, device activated.
Jun  3 00:23:29 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) complete.
Jun  3 00:23:29 host NetworkManager[1529]: <error> [1307053409.968902] [nm-device-ethernet.c:729] real_update_permanent_hw_address(): (usb0): unable to read permanent 
MAC address (error 0)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier is OFF
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): new Ethernet device (driver: 'cdc_ether' ifindex: 7)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): exported as /org/freedesktop/NetworkManager/Devices/6
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): now managed
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 1 -> 2 (reason 2)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): bringing up device.
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): preparing device.
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): deactivating device (reason: 2).
Jun  3 00:23:29 host NetworkManager[1529]: <info> Added default wired connection 'Auto usb0' for /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6/2-6:1.7/net/usb0
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier now ON (device state 2)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 2 -> 3 (reason 40)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier now OFF (device state 3)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 3 -> 2 (reason 40)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): deactivating device (reason: 40).
Jun  3 00:23:30 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:30 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:30 host NetworkManager[1529]: <info> Connection 'Auto usb0' auto-activation failed: (2) Device not managed by NetworkManager
Jun  3 00:23:30 host ntpd[21394]: ntpd exiting on signal 15
Jun  3 00:23:30 host ntpd_initres[21397]: parent died before we finished, exiting
Jun  3 00:23:30 host ntpd[21608]: ntpd 4.2.4p8 Wed Nov 24 19:02:17 UTC 2010 (1)
Jun  3 00:23:30 host ntpd[21609]: precision = 1.117 usec
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #1 wildcard, ::#123 Disabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #2 lo, ::1#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #3 wlan0, fe80::224:d6ff:fe83:bbc2#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #5 wlan0, 192.168.0.10#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on routing socket on fd #22 for interface updates
Jun  3 00:23:30 host ntpd[21609]: kernel time sync status 2040
Jun  3 00:23:30 host ntpd[21609]: frequency initialized 0.711 PPM from /var/lib/ntp/drift
Jun  3 00:23:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e
Comment 3 Jacob Hunt 2011-06-03 17:50:25 UTC 
This issue happens with this kernel:
kernel-2.6.32-71.29.1.el6.x86_64
If you revert back to the following kernel, the issue disappears:
kernel-2.6.32-71.18.2.el6.x86_64
Comment 4 Daniel Walsh 2011-06-03 20:37:54 UTC 
Yes we have to hack in some dontaudits because the kernel/userspace has never been fixed.

This looks like the latest policy has the fix.

selinux-policy-3.7.19-96.el6
Comment 10 errata-xmlrpc 2011-12-06 10:08:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html