Bug 1120152 - SELinux is preventing /usr/sbin/ModemManager from using the 'dac_override' capabilities.
Summary: SELinux is preventing /usr/sbin/ModemManager from using the 'dac_override' ca...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
low
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:ed9196a38fb37d04c46692583dc...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-16 10:40 UTC by Matěj Cepl
Modified: 2015-03-05 10:42 UTC (History)
2 users (show)

Fixed In Version: selinux-policy-3.13.1-7.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:42:13 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Description Matěj Cepl 2014-07-16 10:40:19 UTC
Description of problem:
see in the SELinux report
SELinux is preventing /usr/sbin/ModemManager from using the 'dac_override' capabilities.

This happens whenever I plug my Firefox Flame phone over USB to RHEL-7 system.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it, 
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that ModemManager should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ModemManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                 [ capability ]
Source                        ModemManager
Source Path                   /usr/sbin/ModemManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           ModemManager-1.1.0-6.git20130913.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-153.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.0-123.el7.x86_64 #1 SMP Mon
                              May 5 11:16:57 EDT 2014 x86_64 x86_64
Alert Count                   24
First Seen                    2014-07-13 23:48:33 CEST
Last Seen                     2014-07-16 00:41:08 CEST
Local ID                      6bdcc0e7-ff47-4870-8e8f-eea96906e26e

Raw Audit Messages
type=AVC msg=audit(1405464068.129:9438): avc:  denied  { dac_override } for  pid=5785 comm="ModemManager" capability=1  scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=capability


type=SYSCALL msg=audit(1405464068.129:9438): arch=x86_64 syscall=open success=yes exit=ECHILD a0=7f083ff3e0e0 a1=982 a2=1 a3=1 items=0 ppid=1 pid=5785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)

Hash: ModemManager,modemmanager_t,modemmanager_t,capability,dac_override

Additional info:
reporter:       libreport-2.1.11
hashmarkername: setroubleshoot
kernel:         3.10.0-123.el7.x86_64
type:           libreport

Comment 2 Milos Malik 2014-10-23 11:51:22 UTC
Does it happen when selinux-policy >= 3.13 is installed ?

Comment 3 Milos Malik 2014-10-23 11:53:10 UTC
Could you add following line to /etc/audit/rules.d/audit.rules and restart audit daemon?

-w /etc/shadow -p w

From now on, the AVCs will contain more information.

Comment 4 Matěj Cepl 2014-10-23 16:30:19 UTC
(In reply to Milos Malik from comment #2)
> Does it happen when selinux-policy >= 3.13 is installed ?

That's bad ... I don't have RHEL-7 on my computer anymore, but I probably will have it sometime later this month (with new computer). Keeping the needinfo alive.

Comment 5 Matěj Cepl 2014-10-24 11:58:02 UTC
Actually, I can reproduce it even with Fedora 21:

SELinux is preventing /usr/sbin/ModemManager from connectto access on the unix_stream_socket @qmi-proxy.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to enable cluster mode for daemons.
Then you must tell SELinux about this by enabling the 'daemons_enable_cluster_mode' boolean.
You can read 'modemmanager_selinux' man page for more details.
Do
setsebool -P daemons_enable_cluster_mode 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that ModemManager should be allowed connectto access on the @qmi-proxy unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep ModemManager /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                @qmi-proxy [ unix_stream_socket ]
Source                        ModemManager
Source Path                   /usr/sbin/ModemManager
Port                          <Unknown>
Host                          wycliff
Source RPM Packages           ModemManager-1.4.0-1.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-90.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     wycliff
Platform                      Linux wycliff 3.17.1-302.fc21.x86_64 #1 SMP Fri
                              Oct 17 20:05:46 UTC 2014 x86_64 x86_64
Alert Count                   1153
First Seen                    2014-10-06 20:53:09 CEST
Last Seen                     2014-10-24 13:56:39 CEST
Local ID                      bad6634e-2940-4e4c-b342-fca770e8e3f1

Raw Audit Messages
type=AVC msg=audit(1414151799.918:3443): avc:  denied  { connectto } for  pid=1020 comm="ModemManager" path=00716D692D70726F7879 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=unix_stream_socket permissive=1


type=SYSCALL msg=audit(1414151799.918:3443): arch=x86_64 syscall=connect success=yes exit=0 a0=9 a1=7ffff0bc5e90 a2=c a3=10 items=0 ppid=1 pid=1020 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)

Hash: ModemManager,modemmanager_t,modemmanager_t,unix_stream_socket,connectto

Comment 6 Miroslav Grepl 2014-11-03 10:29:42 UTC
commit 5ba54f3dd852dea537fb6c64fa63af7e2629fb12
Author: Dan Walsh <dwalsh@redhat.com>
Date:   Sat Oct 25 06:52:23 2014 -0400

    Allow modemmanger to connectto itself

Comment 10 errata-xmlrpc 2015-03-05 10:42:13 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html


Note You need to log in before you can comment on or make changes to this bug.