1794958 – SELinux is preventing ModemManager from using the 'setsched' accesses on a process.

Bug 1794958 - SELinux is preventing ModemManager from using the 'setsched' accesses on a process.

Summary: SELinux is preventing ModemManager from using the 'setsched' accesses on a pr...

Keywords:
Status:	CLOSED DUPLICATE of bug 1795524
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:d51ee0da79cf256f3eda3ca8449...
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-01-25 20:22 UTC by Matt Fagnani
Modified:	2020-02-01 17:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-01-28 08:53:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Matt Fagnani 2020-01-25 20:22:34 UTC

Description of problem:
I ran sudo dnf upgrade --refresh on the Rawhide KDE Plasma spin on 2020-1-25. The upgrade included about ~300 rpms including glib2-2.63.4-1.fc32.x86_64, gcc-10.0.1-0.5.fc32.x86_64, sssd-2.2.2-5.fc32.x86_64, annobin-9.01-2.fc32.x86_64, binutils-2.33.1-12.fc32.x86_64, colord-1.4.4-3.fc32.x86_64, elfutils-0.178-8.fc32.x86_64. I rebooted. The plymouth output showed lines like
Failed to start ModemManager
Failed to start Accounts Service

The journal and audit logs had denials of ModemManager using setsched on a process with modemmanager_t possibly itself repeated many times. ModemManager restarted and was sent the trap signal. ModemManager crashed 9 times in total.

There were also denials of accounts-daemon using setsched and sysnice followed by accounts-daemon getting the trap signal and crashing once.
colord was denied setsched and crashed with the trap signal also. So the denials might be due to a change in a package that ModemManager, accounts-daemon, and colord were all using. glib2-2.63.4-1.fc32.x86_64 is in the traces of the crashing threads of each of them so glib might be involved. I'll submit the other denials and crashes separately and put the links here. The same denials and crashes happened on 2 consecutive boots.
SELinux is preventing ModemManager from using the 'setsched' accesses on a process.

***** Plugin catchall (100. confidence) suggests **************************

If you believe that ModemManager should be allowed setsched access on processes labeled modemmanager_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager
# semodule -X 300 -i my-ModemManager.pp

Additional Information:
Source Context system_u:system_r:modemmanager_t:s0
Target Context system_u:system_r:modemmanager_t:s0
Target Objects Unknown [ process ]
Source ModemManager
Source Path ModemManager
Port <Unknown>
Host (removed)
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.5-20.fc32.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 5.5.0-0.rc6.git3.1.fc32.x86_64 #1
SMP Fri Jan 17 18:29:51 UTC 2020 x86_64 x86_64
Alert Count 28
First Seen 2020-01-25 14:29:52 EST
Last Seen 2020-01-25 14:59:42 EST
Local ID 7d4d2cff-d364-47e3-8e6c-546d603bd988

Raw Audit Messages
type=AVC msg=audit(1579982382.0:371): avc: denied { setsched } for pid=2193 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0

Hash: ModemManager,modemmanager_t,modemmanager_t,process,setsched

Version-Release number of selected component:
selinux-policy-3.14.5-20.fc32.noarch

Additional info:
component: selinux-policy
reporter: libreport-2.11.3
hashmarkername: setroubleshoot
kernel: 5.5.0-0.rc6.git3.1.fc32.x86_64
type: libreport

Comment 1 Matt Fagnani 2020-01-25 21:16:02 UTC

sudo coredumpctl gdb showed that the ModemManager crashes involved errors like "Failed to set scheduler settings: Permission denied"  in frame 1 at ../glib/gmessages.c:3123 in glib2-2.63.4-1.fc32.x86_64 and in frame 3. Those errors might be due to the setsched denials

Core was generated by `/usr/sbin/ModemManager'.
 ModemManager-1.10.8-1.fc32.x86_64

Program terminated with signal SIGTRAP, Trace/breakpoint trap.
#0  _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
554         G_BREAKPOINT ();
[Current thread is 1 (Thread 0x7f7affb0f700 (LWP 944))]
(gdb) bt
#0  _g_log_abort (breakpoint=1) at ../glib/gmessages.c:554
#1  0x00007f7b009b1e89 in g_log_default_handler
    (log_domain=log_domain@entry=0x7f7b009f900e "GLib", log_level=log_level@entry=6, message=message@entry=0x7f7af0001b90 "Failed to set scheduler settings: Permission denied", unused_data=unused_data@entry=0x0) at ../glib/gmessages.c:3123
#2  0x00007f7b009b20bb in g_logv
    (log_domain=0x7f7b009f900e "GLib", log_level=G_LOG_LEVEL_ERROR, format=<optimized out>, args=args@entry=0x7f7affb0ec90) at ../glib/gmessages.c:1350
#3  0x00007f7b009b22a3 in g_log
    (log_domain=log_domain@entry=0x7f7b009f900e "GLib", log_level=log_level@entry=G_LOG_LEVEL_ERROR, format=format@entry=0x7f7b00a5ee70 "Failed to set scheduler settings: %s") at ../glib/gmessages.c:1415
#4  0x00007f7b009f752b in linux_pthread_proxy (data=0x55e6a392c060) at ../glib/gthread-posix.c:1238
#5  0x00007f7b0093a432 in start_thread (arg=<optimized out>) at pthread_create.c:477
#6  0x00007f7b00862873 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

I reported the ModemManager crashes with abrt at https://bugzilla.redhat.com/show_bug.cgi?id=1794964

Comment 2 Matt Fagnani 2020-01-26 01:18:10 UTC

I downgraded to glib2-2.63.3-1.fc32 from koji. No denials or crashes involving ModemManager, accounts-daemon, colord happened on the next 2 boots with glib2-2.63.3-1. I upgraded to glib2-2.63.4-1.fc32, and the denials and crashes started again on the next boot.

The accounts-daemon and colord crashes also had the error "Failed to set scheduler settings: Permission denied" in g_logv at ../glib/gmessages.c:1350 in glib2-2.63.4-1. The error message seems to start from frame 4 in linux_pthread_proxy at ../glib/gthread-posix.c:1238 in all the crashes which I reported in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1794964 This section appears to have been added in the commit 8aeca4fa "GThreadPool - Don't inherit thread priorities when creating new threads" included in glib 2.63.4 at https://gitlab.gnome.org/GNOME/glib/commit/8aeca4fa647bfd0f35c4a86b1e6ca6e955519ca5#note_686823

I ran setroubleshoot GUI's suggestions to allow the accesses
sudo ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager
sudo semodule -X 300 -i my-ModemManager.pp
sudo ausearch -c 'accounts-daemon' --raw | audit2allow -M my-accountsdaemon
sudo semodule -X 300 -i my-accountsdaemon.pp
sudo ausearch -c 'colord' --raw | audit2allow -M my-colord
sudo semodule -X 300 -i my-colord.pp

No denials or crashes happened when booting after running those commands which added the following rules in the local policy modules.
allow modemmanager_t self:process setsched;
allow accountsd_t self:capability sys_nice;
allow accountsd_t self:process setsched;
allow colord_t self:process setsched;

I reported the accounts-daemon and colord denials in more detail at https://bugzilla.redhat.com/show_bug.cgi?id=1794959 and https://bugzilla.redhat.com/show_bug.cgi?id=1794961

Comment 3 Dale Turner 2020-01-27 23:48:55 UTC

I'm getting this as well.

dmesg shows:

traps: ModemManager[101330] trap int3 ip:7fe08f63fe05 sp:7fe08e7e5b40 error:0 in libglib-2.0.so.0.6304.0[7fe08f604000+84000]

Comment 4 Lukas Vrabec 2020-01-28 08:53:33 UTC


*** This bug has been marked as a duplicate of bug 1795524 ***

Note You need to log in before you can comment on or make changes to this bug.