2149560 – Cannot start cellular connection when SELinux is in Enforcing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2149560 - Cannot start cellular connection when SELinux is in Enforcing

Summary: Cannot start cellular connection when SELinux is in Enforcing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	9.1
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Nikola Knazekova
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-30 08:00 UTC by Renaud Métrich
Modified:	2023-05-09 10:21 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-38.1.6-1.el9
Doc Type:	No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-09 08:17:04 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1561	None	open	Allow ModemManager all permissions for netlink route socket	2023-01-24 19:12:18 UTC
Red Hat Bugzilla	2149954	unspecified	CLOSED	SELinux is preventing ModemManager from 'write' accesses on the Verzeichnis qmi.	2023-10-24 13:45:45 UTC
Red Hat Issue Tracker	NMT-59	None	None	None	2023-01-22 14:10:11 UTC
Red Hat Issue Tracker	RHELPLAN-141000	None	None	None	2022-12-01 07:32:18 UTC
Red Hat Product Errata	RHBA-2023:2483	None	None	None	2023-05-09 08:17:18 UTC

Description Renaud Métrich 2022-11-30 08:00:31 UTC

Description of problem:

A customer reported that he cannot initiate any cellular connectin using his Sierra MC7304 device [1] when SELinux is in Enforcing.

It appears that multiple AVCs pop up:

AVCs on the Netlink socket getting created:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager
type=SYSCALL ... : arch=x86_64 syscall=socket success=yes exit=11 a0=netlink a1=SOCK_DGRAM a2=ip a3=0x0 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC ... : avc:  denied  { create } for  pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager
type=SYSCALL ... : arch=x86_64 syscall=getsockopt success=yes exit=0 a0=0xb a1=SOL_SOCKET a2=SO_TYPE a3=0x7fffa20bcf74 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC ... : avc:  denied  { getopt } for  pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager
type=SOCKADDR ... : saddr={ fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL ... : arch=x86_64 syscall=getsockname success=yes exit=0 a0=0xb a1=0x7fffa20bcf80 a2=0x7fffa20bcf70 a3=0x7fffa20bcf74 items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC ... : avc:  denied  { getattr } for  pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1
----
type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager
type=SYSCALL ... : arch=x86_64 syscall=sendto success=yes exit=40 a0=0xb a1=0x55725ee9df00 a2=0x28 a3=MSG_NOSIGNAL items=0 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC ... : avc:  denied  { nlmsg_write } for  pid=962 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=netlink_route_socket permissive=1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Related source code (line 380):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
374 static gboolean
375 setup_netlink_socket (MMNetlink  *self,
376                       GError    **error)
377 {
378     gint socket_fd;
379 
380     socket_fd = socket (AF_NETLINK, SOCK_DGRAM, NETLINK_ROUTE);
381     if (socket_fd < 0) {
382         g_set_error (error, MM_CORE_ERROR, MM_CORE_ERROR_FAILED,
383                      "Failed to create netlink socket");
384         return FALSE;
385     }
 :
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


AVCs when configuring the interface:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
type=PROCTITLE ... : proctitle=/usr/sbin/ModemManager
type=PATH ... : item=1 name=/sys/class/net/wwp0s20u3i10/qmi/pass_through inode=23879 dev=00:15 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH ... : item=0 name=/sys/class/net/wwp0s20u3i10/qmi/ inode=23875 dev=00:15 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD ... : cwd=/
type=SYSCALL ... : arch=x86_64 syscall=openat success=yes exit=12 a0=0xffffff9c a1=0x55725ee9dcb0 a2=O_WRONLY|O_CREAT|O_TRUNC a3=0x1b6 items=2 ppid=1 pid=962 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null)
type=AVC ... : avc:  denied  { create } for  pid=962 comm=ModemManager name=pass_through scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=AVC ... : avc:  denied  { add_name } for  pid=962 comm=ModemManager name=pass_through scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
type=AVC ... : avc:  denied  { write } for  pid=962 comm=ModemManager name=qmi dev="sysfs" ino=23875 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=dir permissive=1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Related source code (line 829, line 605), in *libqmi*, not *ModemManager* itself:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
 792 static gchar *
 793 build_pass_through_sysfs_path (QmiDevice *self)
 794 {
 795     return g_strdup_printf ("/sys/class/net/%s/qmi/pass_through", self->priv->wwan_iface);
 796 }

 846 static QmiDeviceExpectedDataFormat
 847 common_get_set_expected_data_format (QmiDevice                    *self,
 848                                      QmiDeviceExpectedDataFormat   requested,
 849                                      GError                      **error)
 850 {
 :
 873     pass_through = build_pass_through_sysfs_path (self);
 874 
 875     /* Set operation? */
 876     if (!readonly && !set_expected_data_format (self, raw_ip, pass_through, requested, error))
 877         return QMI_DEVICE_EXPECTED_DATA_FORMAT_UNKNOWN;
 :

 821 static gboolean
 822 set_expected_data_format (QmiDevice                    *self,
 823                           const gchar                  *raw_ip_sysfs_path,
 824                           const gchar                  *pass_through_sysfs_path,
 825                           QmiDeviceExpectedDataFormat   requested,
 826                           GError                      **error)
 827 {
 :
 828     if (requested == QMI_DEVICE_EXPECTED_DATA_FORMAT_802_3) {
 829         qmi_helpers_write_sysfs_file (pass_through_sysfs_path, "N", NULL);
 830         return qmi_helpers_write_sysfs_file (raw_ip_sysfs_path, "N", error);
 831     }
 :

 596 gboolean
 597 qmi_helpers_write_sysfs_file (const gchar  *sysfs_path,
 598                               const gchar  *value,
 599                               GError      **error)
 600 {
 :
 605     if (!(f = fopen (sysfs_path, "w"))) {
 :
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs.


[1] https://source.sierrawireless.com/devices/mc-series/mc7304/



Version-Release number of selected component (if applicable):

ModemManager-1.18.2-3.el9.x86_64
libqmi-1.30.2-2.el9.x86_64

How reproducible:

Always on customer system, cannot reproduce internally due to lack of hardware

Steps to Reproduce:
1. Start ModemManager

Actual results:

AVCs, modem not working

Expected results:

No AVCs, modem initiating connection

Comment 4 Lubomir Rintel 2023-01-23 10:22:07 UTC

Seems to be already fixed in rhel-9.2.0:

commit fed7d75df41b9c18a60c1d8af21497dcf3878615
Author: Zdenek Pytela <zpytela>
Date:   Thu Sep 30 08:27:12 2021 +0200

    Allow ModemManager create and use netlink route socket
    
    Resolves: rhbz#2008755

Comment 5 Zdenek Pytela 2023-01-23 15:58:14 UTC

(In reply to Lubomir Rintel from comment #4)
> Seems to be already fixed in rhel-9.2.0:
It is not as it does not cover nlmsg_write, a PR to add it to selinux-policy is on the way, so will probably added in the next build.


> Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs.
Anyway I'd like you not to miss this request/inquiry: Do you test new features or code changes with SELinux enforcing?

Comment 6 Lubomir Rintel 2023-01-25 12:45:37 UTC

(In reply to Zdenek Pytela from comment #5)
> (In reply to Lubomir Rintel from comment #4)
> > Seems to be already fixed in rhel-9.2.0:
> It is not as it does not cover nlmsg_write, a PR to add it to selinux-policy
> is on the way, so will probably added in the next build.

Ah, cool. Thanks!

> > Before transferring this to SELinux component, please take the time to run your QA suite in Enforcing mode and collect all related AVCs.
> Anyway I'd like you not to miss this request/inquiry: Do you test new
> features or code changes with SELinux enforcing?

I *think* so, but I'm NEEDINFO-ing Filip who'll know for sure.

Comment 8 Filip Pokryvka 2023-01-27 11:42:19 UTC

I did not see any AVCs with selinux-policy-38.1.3-1.el9, but the tests with USB modems are unstable, so maybe it did not even get to use those functions.

Comment 25 errata-xmlrpc 2023-05-09 08:17:04 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2023:2483

Note You need to log in before you can comment on or make changes to this bug.