Description of problem:

Since Linux 5.12 there is a new "wwan" subsystem in the kernel that exports different types of control ports. It's primarily used for new modems using PCIe-only (no USB).

The Thinkpad X1 Carbon Gen9 with e.g. the Foxconn SDX55 module is one of the systems affected by the problem. When ModemManager 1.17.900 runs via systemd in Fedora rawhide, SELinux prevents "getattr" operations on these wwan subsystem control ports, e.g.:


type=AVC msg=audit(1630487952.461:1061): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p3AT" dev="devtmpfs" ino=655 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487952.462:1062): avc:  denied  { getattr } for  pid=414101 comm="pool-ModemManag" path="/dev/wwan0p2MBIM" dev="devtmpfs" ino=654 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487952.481:1063): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=653 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487953.462:1064): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p3AT" dev="devtmpfs" ino=655 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487953.481:1065): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=653 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


The "getattr" operation is associated to a check in libmbim making sure the device being opened is of "special" type (G_FILE_TYPE_SPECIAL in GLib).

These checks are done either by the ModemManager daemon or by the mbimcli/mbim-proxy (from libmbim) or qmicli/qmi-proxy (from libqmi) processes.

Switching SElinux to permissive mode makes the problem go away, or running the following (for the mbim-proxy+MM case):
ausearch -c 'mbim-proxy' --raw|audit2allow -M my-mbim-proxy
ausearch -c 'ModemManager' --raw|audit2allow -M my-ModemManager
semodule -i my-mbim-proxy.pp
semodule -i my-ModemManager.pp
 

Version-Release number of selected component (if applicable):

Rawhide


How reproducible:

Always


Steps to Reproduce:
1. SElinux in enforcing mode
2. MM 1.17.900 started via systemd

Actual results:

The wwan0p2MBIM port is not used by ModemManager because the file type check in libmbim fails, MM reports a "Wrong file type" error.

The AT and QCDM ports are used even if we have "getattr" denials, but those are not enough.


Expected results:

The wwan0p2MBIM port is used by ModemManager.


Additional info:

It looks like the missing thing is only the "getattr" enablement, because the actual R/W on those control ports seem to work correctly, at least that is what we can see for the wwan0p3AT and wwan0p1QCDM ports (which don't have a strong requirement to use "special" port types).

Upstream MM bugreport: https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/425