Bug 1996903 - SELinux is preventing ModemManager from create access on the qipcrtr_socket labeled modemmanager_t.
Summary: SELinux is preventing ModemManager from create access on the qipcrtr_socket l...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2001141 2001143 2001144 2001145 2002580 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-08-23 23:43 UTC by Adam Williamson
Modified: 2021-09-24 20:20 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-34.19-2.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-24 20:20:53 UTC
Type: Bug


Attachments (Terms of Use)

Description Adam Williamson 2021-08-23 23:43:13 UTC
Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                Unknown [ qipcrtr_socket ]
Source                        ModemManager
Source Path                   ModemManager
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.16-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-34.16-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora
Platform                      Linux fedora 5.14.0-0.rc6.46.fc35.x86_64 #1 SMP
                              Mon Aug 16 20:02:52 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-08-23 16:03:55 PDT
Last Seen                     2021-08-23 16:05:50 PDT
Local ID                      da9e859d-2b6f-4546-a2d7-c224c0810954

Raw Audit Messages
type=AVC msg=audit(1629759950.322:163): avc:  denied  { create } for  pid=769 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1


Hash: ModemManager,modemmanager_t,modemmanager_t,qipcrtr_socket,create

Appears on first boot of a freshly installed Fedora 35 Workstation VM. Reporting manually as sealert/setroubleshoot seem to be broken and show no alerts. Booted with permissive to get system to boot and show all alerts (without permissive, it doesn't make it to gnome-initial-setup).

Comment 1 Adam Williamson 2021-08-23 23:54:14 UTC
There's also a denial for `getopt` which is otherwise similar:

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                Unknown [ qipcrtr_socket ]
Source                        ModemManager
Source Path                   ModemManager
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.16-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-34.16-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora
Platform                      Linux fedora 5.14.0-0.rc6.46.fc35.x86_64 #1 SMP
                              Mon Aug 16 20:02:52 UTC 2021 x86_64 x86_64
Alert Count                   1
First Seen                    2021-08-23 16:05:50 PDT
Last Seen                     2021-08-23 16:05:50 PDT
Local ID                      bd3abac2-db79-4f77-972d-fdb342ec173a

Raw Audit Messages
type=AVC msg=audit(1629759950.336:165): avc:  denied  { getopt } for  pid=769 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1


Hash: ModemManager,modemmanager_t,modemmanager_t,qipcrtr_socket,getopt

Comment 2 Adam Williamson 2021-08-23 23:54:29 UTC
...and `getattr`.

Comment 3 Milos Malik 2021-09-07 13:36:04 UTC
Following SELinux denials appear in permissive mode:
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.937:355) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(09/07/2021 15:34:20.937:355) : arch=x86_64 syscall=socket success=yes exit=9 a0=qipcrtr a1=SOCK_DGRAM a2=ip a3=0x10 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(09/07/2021 15:34:20.937:355) : avc:  denied  { module_request } for  pid=3067 comm=ModemManager kmod="net-pf-42" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 
type=AVC msg=audit(09/07/2021 15:34:20.937:355) : avc:  denied  { create } for  pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.956:356) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(09/07/2021 15:34:20.956:356) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x9 a1=SOL_SOCKET a2=SO_TYPE a3=0x7fff32a58a64 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(09/07/2021 15:34:20.956:356) : avc:  denied  { getopt } for  pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----
type=PROCTITLE msg=audit(09/07/2021 15:34:20.956:357) : proctitle=/usr/sbin/ModemManager 
type=SOCKADDR msg=audit(09/07/2021 15:34:20.956:357) : saddr={ saddr_fam=qipcrtr (unsupported) } 
type=SYSCALL msg=audit(09/07/2021 15:34:20.956:357) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x9 a1=0x7fff32a58a70 a2=0x7fff32a58a60 a3=0x7fff32a58a64 items=0 ppid=1 pid=3067 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(09/07/2021 15:34:20.956:357) : avc:  denied  { getattr } for  pid=3067 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----

# rpm -qa selinux\* Modem\* | sort
ModemManager-1.17.900-1.fc35.x86_64
ModemManager-glib-1.17.900-1.fc35.x86_64
selinux-policy-34.16-1.fc35.noarch
selinux-policy-targeted-34.16-1.fc35.noarch
#

Comment 4 Zdenek Pytela 2021-09-07 15:50:40 UTC
*** Bug 2001141 has been marked as a duplicate of this bug. ***

Comment 5 Zdenek Pytela 2021-09-07 15:51:16 UTC
*** Bug 2001143 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2021-09-07 15:51:28 UTC
*** Bug 2001144 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2021-09-07 15:51:58 UTC
*** Bug 2001145 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2021-09-09 11:09:24 UTC
*** Bug 2002580 has been marked as a duplicate of this bug. ***

Comment 9 Davide Repetto 2021-09-10 09:50:00 UTC
Similar problem has been detected:

First boot - Immediately after a clean install.

hashmarkername: setroubleshoot
kernel:         5.14.0-60.fc35.x86_64
package:        selinux-policy-targeted-34.16-1.fc35.noarch
reason:         SELinux is preventing ModemManager from 'create' accesses on the qipcrtr_socket Sconosciuto.
type:           libreport

Comment 10 Fedora Update System 2021-09-10 14:35:18 UTC
FEDORA-2021-bcef06e629 has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcef06e629

Comment 11 Fedora Update System 2021-09-10 22:12:13 UTC
FEDORA-2021-bcef06e629 has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-bcef06e629`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-bcef06e629

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2021-09-24 20:20:53 UTC
FEDORA-2021-bcef06e629 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.