2036582 – SELinux prevents ModemManager from creating the qipcrtr socket

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2036582 - SELinux prevents ModemManager from creating the qipcrtr socket

Summary: SELinux prevents ModemManager from creating the qipcrtr socket

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	9.0
Assignee:	Zdenek Pytela
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	2036614 (view as bug list)
Depends On:
Blocks:	1898842
TreeView+	depends on / blocked

Reported:	2022-01-03 09:44 UTC by Milos Malik
Modified:	2022-05-17 16:12 UTC (History)
CC List:	5 users (show)
Fixed In Version:	selinux-policy-34.1.21-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1996903
Environment:
Last Closed:	2022-05-17 15:50:02 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-106741	0	None	None	None	2022-01-03 09:49:04 UTC
Red Hat Product Errata	RHBA-2022:3918	0	None	None	None	2022-05-17 15:50:11 UTC

Description Milos Malik 2022-01-03 09:44:08 UTC

+++ This bug was initially created as a clone of Bug #1996903 +++

Problem description:
The ModemManager starts and runs successfully, but it triggers an SELinux denial.

Reproducible with the following packages installed:
ModemManager-1.18.2-3.el9.x86_64
ModemManager-glib-1.18.2-3.el9.x86_64
selinux-policy-34.1.20-1.el9.noarch
selinux-policy-devel-34.1.20-1.el9.noarch
selinux-policy-doc-34.1.20-1.el9.noarch
selinux-policy-mls-34.1.20-1.el9.noarch
selinux-policy-targeted-34.1.20-1.el9.noarch

Reproducible:
 * always

Steps to Reproduce:
1) get a RHEL-9.0 machine
2) (re)start the ModemManager service
3) search for SELinux denials

Actual results (enforcing mode):
----
type=PROCTITLE msg=audit(01/03/2022 10:40:04.355:379) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(01/03/2022 10:40:04.355:379) : arch=x86_64 syscall=socket success=no exit=EACCES(Permission denied) a0=qipcrtr a1=SOCK_DGRAM a2=ip a3=0x10 items=0 ppid=1 pid=5901 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(01/03/2022 10:40:04.355:379) : avc:  denied  { create } for  pid=5901 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=0 
----

Expected results:
 * no SELinux denials

Comment 1 Milos Malik 2022-01-03 09:45:39 UTC

Actual results (permissive mode):
----
type=PROCTITLE msg=audit(01/03/2022 10:44:39.503:389) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(01/03/2022 10:44:39.503:389) : arch=x86_64 syscall=socket success=yes exit=9 a0=qipcrtr a1=SOCK_DGRAM a2=ip a3=0x10 items=0 ppid=1 pid=5973 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(01/03/2022 10:44:39.503:389) : avc:  denied  { module_request } for  pid=5973 comm=ModemManager kmod="net-pf-42" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 
type=AVC msg=audit(01/03/2022 10:44:39.503:389) : avc:  denied  { create } for  pid=5973 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----
type=PROCTITLE msg=audit(01/03/2022 10:44:39.513:390) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(01/03/2022 10:44:39.513:390) : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0x9 a1=SOL_SOCKET a2=SO_TYPE a3=0x7fff9da26054 items=0 ppid=1 pid=5973 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(01/03/2022 10:44:39.513:390) : avc:  denied  { getopt } for  pid=5973 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----
type=PROCTITLE msg=audit(01/03/2022 10:44:39.514:391) : proctitle=/usr/sbin/ModemManager 
type=SOCKADDR msg=audit(01/03/2022 10:44:39.514:391) : saddr={ saddr_fam=qipcrtr (unsupported) } 
type=SYSCALL msg=audit(01/03/2022 10:44:39.514:391) : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0x9 a1=0x7fff9da26060 a2=0x7fff9da26050 a3=0x7fff9da26054 items=0 ppid=1 pid=5973 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(01/03/2022 10:44:39.514:391) : avc:  denied  { getattr } for  pid=5973 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=qipcrtr_socket permissive=1 
----

Comment 3 Zdenek Pytela 2022-01-03 10:33:04 UTC

Commit to backport:

commit e372b3af701100cab13ef556225ec7d69839e1a3
Author: Zdenek Pytela <zpytela>
Date:   Mon Sep 6 18:05:14 2021 +0200

    Allow ModemManager create a qipcrtr socket

Comment 4 Petr Zatko 2022-01-03 12:06:13 UTC

*** Bug 2036614 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2022-01-03 12:37:34 UTC

One more commit needs to be backported:
commit 921c24735f045dc45ea492de8a49c61e385c6ee4
Author: Zdenek Pytela <zpytela>
Date:   Mon Sep 6 17:55:00 2021 +0200

    Allow ModemManager request to load a kernel module

Comment 14 errata-xmlrpc 2022-05-17 15:50:02 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: selinux-policy), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3918

Note You need to log in before you can comment on or make changes to this bug.