Bug 2000112 - SELinux prevents libmbim/ModemManager from using /dev/wwan0p2MBIM port
Summary: SELinux prevents libmbim/ModemManager from using /dev/wwan0p2MBIM port
Keywords:
Status: CLOSED DUPLICATE of bug 1961571
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-09-01 12:19 UTC by Aleksander Morgado
Modified: 2021-09-01 14:54 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-09-01 14:54:51 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Aleksander Morgado 2021-09-01 12:19:54 UTC
Description of problem:

Since Linux 5.12 there is a new "wwan" subsystem in the kernel that exports different types of control ports. It's primarily used for new modems using PCIe-only (no USB).

The Thinkpad X1 Carbon Gen9 with e.g. the Foxconn SDX55 module is one of the systems affected by the problem. When ModemManager 1.17.900 runs via systemd in Fedora rawhide, SELinux prevents "getattr" operations on these wwan subsystem control ports, e.g.:


type=AVC msg=audit(1630487952.461:1061): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p3AT" dev="devtmpfs" ino=655 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487952.462:1062): avc:  denied  { getattr } for  pid=414101 comm="pool-ModemManag" path="/dev/wwan0p2MBIM" dev="devtmpfs" ino=654 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487952.481:1063): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=653 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487953.462:1064): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p3AT" dev="devtmpfs" ino=655 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1630487953.481:1065): avc:  denied  { getattr } for  pid=414101 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=653 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0


The "getattr" operation is associated to a check in libmbim making sure the device being opened is of "special" type (G_FILE_TYPE_SPECIAL in GLib).

These checks are done either by the ModemManager daemon or by the mbimcli/mbim-proxy (from libmbim) or qmicli/qmi-proxy (from libqmi) processes.

Switching SElinux to permissive mode makes the problem go away, or running the following (for the mbim-proxy+MM case):
ausearch -c 'mbim-proxy' --raw|audit2allow -M my-mbim-proxy
ausearch -c 'ModemManager' --raw|audit2allow -M my-ModemManager
semodule -i my-mbim-proxy.pp
semodule -i my-ModemManager.pp
 

Version-Release number of selected component (if applicable):

Rawhide


How reproducible:

Always


Steps to Reproduce:
1. SElinux in enforcing mode
2. MM 1.17.900 started via systemd

Actual results:

The wwan0p2MBIM port is not used by ModemManager because the file type check in libmbim fails, MM reports a "Wrong file type" error.

The AT and QCDM ports are used even if we have "getattr" denials, but those are not enough.


Expected results:

The wwan0p2MBIM port is used by ModemManager.


Additional info:

It looks like the missing thing is only the "getattr" enablement, because the actual R/W on those control ports seem to work correctly, at least that is what we can see for the wwan0p3AT and wwan0p1QCDM ports (which don't have a strong requirement to use "special" port types).

Upstream MM bugreport: https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/425

Comment 1 Peter Robinson 2021-09-01 14:54:51 UTC

*** This bug has been marked as a duplicate of bug 1961571 ***


Note You need to log in before you can comment on or make changes to this bug.