2149946 – SELinux is preventing ModemManager from using the 'execmem' accesses on a process.

Bug 2149946 - SELinux is preventing ModemManager from using the 'execmem' accesses on a process.

Summary: SELinux is preventing ModemManager from using the 'execmem' accesses on a pro...

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ModemManager
Sub Component:
Version:	37
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Davide Cavalca
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:cc05a8e954c212f834ad04b3e80...
Duplicates (18):	2179635 2183550 2184734 2186965 2187199 2188486 2188614 2188859 2189347 2195846 2196114 2196331 2208208 2210328 2210523 2211646 2225082 2228059 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-12-01 12:22 UTC by Patrice ANDRE
Modified:	2023-08-01 09:37 UTC (History)
CC List:	26 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	2145005	0	medium	CLOSED	SELinux is preventing ModemManager from write access on the directory qmi.	2023-04-21 01:23:46 UTC
Red Hat Bugzilla	2151240	0	medium	CLOSED	SELinux is preventing ModemManager from using the 'execmem' accesses on a process.	2023-04-28 17:58:13 UTC

Description Patrice ANDRE 2022-12-01 12:22:24 UTC

Description of problem:
On the KDE Plasma session opening, I get chaining notifications from SELinux:

SELinux is preventing ModemManager from using the execmem access on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests   *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that ModemManager should be allowed execmem access on processes labeled modemmanager_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager
# semodule -X 300 -i my-ModemManager.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                Unknown [ process ]
Source                        ModemManager
Source Path                   ModemManager
Port                          <Unknown>
Host                          fedora.home
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.15-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.15-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     fedora.home
Platform                      Linux fedora.home 6.0.10-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022
                              x86_64 x86_64
Alert Count                   73
First Seen                    2022-12-01 13:16:25 CET
Last Seen                     2022-12-01 13:19:17 CET
Local ID                      7aa67b49-87b6-4976-a0b2-4510de85885e

Raw Audit Messages
type=AVC msg=audit(1669897157.91:1336): avc:  denied  { execmem } for  pid=10837 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0


Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem
SELinux is preventing ModemManager from using the 'execmem' accesses on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests   *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that ModemManager should be allowed execmem access on processes labeled modemmanager_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'ModemManager' --raw | audit2allow -M my-ModemManager
# semodule -X 300 -i my-ModemManager.pp

Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                Unknown [ process ]
Source                        ModemManager
Source Path                   ModemManager
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.15-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.15-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.0.10-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Sat Nov 26 16:55:13 UTC 2022
                              x86_64 x86_64
Alert Count                   39
First Seen                    2022-12-01 13:16:25 CET
Last Seen                     2022-12-01 13:17:56 CET
Local ID                      7aa67b49-87b6-4976-a0b2-4510de85885e

Raw Audit Messages
type=AVC msg=audit(1669897076.570:860): avc:  denied  { execmem } for  pid=8261 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0


Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem

Version-Release number of selected component:
selinux-policy-targeted-37.15-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.4
hashmarkername: setroubleshoot
kernel:         6.0.10-300.fc37.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2022-12-02 11:17:37 UTC

Switching the component for ModemManager maintainers to assess.

The execmem permission is required for mapping a memory region as executable which is not common and is possibly insecure so it is disabled by default.

Comment 2 Lucas Stach 2022-12-13 09:34:03 UTC

coredumpctl dump output from a crashed ModemManager instance after the SELinux deny:

                Stack trace of thread 6775:
                #0  0x00007f4710cace7c __pthread_kill_implementation (libc.so.6 + 0x8ce7c)
                #1  0x00007f4710c5caa6 raise (libc.so.6 + 0x3caa6)
                #2  0x00007f4710c467fc abort (libc.so.6 + 0x267fc)
                #3  0x00007f4710ca10ae __libc_message (libc.so.6 + 0x810ae)
                #4  0x00007f4710cb6bbc malloc_printerr (libc.so.6 + 0x96bbc)
                #5  0x00007f4710cb7674 unlink_chunk.constprop.0 (libc.so.6 + 0x97674)
                #6  0x00007f4710cba2ad _int_malloc (libc.so.6 + 0x9a2ad)
                #7  0x00007f4710cbbbb6 __libc_calloc (libc.so.6 + 0x9bbb6)
                #8  0x00007f4710f3f5f1 g_malloc0 (libglib-2.0.so.0 + 0x5f5f1)
                #9  0x00007f4710f32ee3 g_source_new (libglib-2.0.so.0 + 0x52ee3)
                #10 0x00007f4710f375ad g_timeout_source_new_seconds (libglib-2.0.so.0 + 0x575ad)
                #11 0x00007f4710f37604 g_timeout_add_seconds_full (libglib-2.0.so.0 + 0x57604)
                #12 0x0000562bcd1dfe60 port_serial_queue_process (ModemManager + 0x136e60)
                #13 0x00007f4710f374c8 g_timeout_dispatch (libglib-2.0.so.0 + 0x574c8)
                #14 0x00007f4710f36cbf g_main_context_dispatch (libglib-2.0.so.0 + 0x56cbf)
                #15 0x00007f4710f8c598 g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac598)
                #16 0x00007f4710f3628f g_main_loop_run (libglib-2.0.so.0 + 0x5628f)
                #17 0x0000562bcd1106af main (ModemManager + 0x676af)
                #18 0x00007f4710c47510 __libc_start_call_main (libc.so.6 + 0x27510)
                #19 0x00007f4710c475c9 __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x275c9)
                #20 0x0000562bcd1108d5 _start (ModemManager + 0x678d5)

                Stack trace of thread 6779:
                #0  0x00007f4710d2476d syscall (libc.so.6 + 0x10476d)
                #1  0x00007f4710f884c4 g_cond_wait_until (libglib-2.0.so.0 + 0xa84c4)
                #2  0x00007f4710f06451 g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x26451)
                #3  0x00007f4710f65b4a g_thread_pool_thread_proxy.lto_priv.0 (libglib-2.0.so.0 + 0x85b4a)
                #4  0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
                #5  0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
                #6  0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)

                Stack trace of thread 6780:
                #0  0x00007f4710d1f05f __poll (libc.so.6 + 0xff05f)
                #1  0x00007f4710f8c50d g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac50d)
                #2  0x00007f4710f3628f g_main_loop_run (libglib-2.0.so.0 + 0x5628f)
                #3  0x00007f471113688a gdbus_shared_thread_func.lto_priv.0 (libgio-2.0.so.0 + 0x11688a)
                #4  0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
                #5  0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
                #6  0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)

                Stack trace of thread 6776:
                #0  0x00007f4710d1f05f __poll (libc.so.6 + 0xff05f)
                #1  0x00007f4710f8c50d g_main_context_iterate.constprop.0 (libglib-2.0.so.0 + 0xac50d)
                #2  0x00007f4710f33f40 g_main_context_iteration (libglib-2.0.so.0 + 0x53f40)
                #3  0x00007f4710f35bd1 glib_worker_main (libglib-2.0.so.0 + 0x55bd1)
                #4  0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
                #5  0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
                #6  0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)

                Stack trace of thread 6777:
                #0  0x00007f4710d2476d syscall (libc.so.6 + 0x10476d)
                #1  0x00007f4710f87e83 g_cond_wait (libglib-2.0.so.0 + 0xa7e83)
                #2  0x00007f4710f0647b g_async_queue_pop_intern_unlocked (libglib-2.0.so.0 + 0x2647b)
                #3  0x00007f4710f6454a g_thread_pool_spawn_thread (libglib-2.0.so.0 + 0x8454a)
                #4  0x00007f4710f609c2 g_thread_proxy (libglib-2.0.so.0 + 0x809c2)
                #5  0x00007f4710cab14d start_thread (libc.so.6 + 0x8b14d)
                #6  0x00007f4710d2ca00 __clone3 (libc.so.6 + 0x10ca00)
                ELF object binary architecture: AMD x86-64

That does not look intentional, but more like a corruption issue.

Comment 3 Fedora Admin user for bugzilla script actions 2023-02-21 12:04:40 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 4 Fedora Admin user for bugzilla script actions 2023-02-22 00:04:11 UTC

This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 5 Flo 2023-03-15 14:04:16 UTC

SELinux is preventing ModemManager from using the 'execmem' accesses on a process.

*****  Plugin allow_execmem (91.4 confidence) suggests   *********************

If this issue occurred during normal system operation.
Then this alert could be a serious issue and your system could be compromised.
Do
contact your security administrator and report this issue


Additional Information:
Source Context                system_u:system_r:modemmanager_t:s0
Target Context                system_u:system_r:modemmanager_t:s0
Target Objects                Unknown [ process ]
Source                        ModemManager
Source Path                   ModemManager
Port                          <Unbekannt>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-37.19-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.19-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.2.2-300.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Mar 3 16:25:21 UTC 2023 x86_64
                              x86_64
Last Seen                     2023-03-15 14:27:20 CET

Raw Audit Messages
type=AVC msg=audit(1678886840.661:228): avc:  denied  { execmem } for  pid=1667 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=0

Hash: ModemManager,modemmanager_t,modemmanager_t,process,execmem

Comment 6 Zdenek Pytela 2023-04-18 09:31:37 UTC

*** Bug 2183550 has been marked as a duplicate of this bug. ***

Comment 7 Zdenek Pytela 2023-04-18 09:31:59 UTC

*** Bug 2179635 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2023-04-18 09:32:18 UTC

*** Bug 2184734 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2023-04-18 09:32:51 UTC

*** Bug 2186965 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2023-04-18 09:32:59 UTC

*** Bug 2187199 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2023-04-21 06:44:13 UTC

*** Bug 2188486 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2023-04-21 12:41:48 UTC

*** Bug 2188614 has been marked as a duplicate of this bug. ***

Comment 13 Zdenek Pytela 2023-04-25 09:22:02 UTC

*** Bug 2189347 has been marked as a duplicate of this bug. ***

Comment 14 Zdenek Pytela 2023-04-25 09:22:53 UTC

*** Bug 2188859 has been marked as a duplicate of this bug. ***

Comment 15 Zdenek Pytela 2023-05-09 08:01:45 UTC

*** Bug 2195846 has been marked as a duplicate of this bug. ***

Comment 16 Zdenek Pytela 2023-05-09 08:11:29 UTC

*** Bug 2196114 has been marked as a duplicate of this bug. ***

Comment 17 Zdenek Pytela 2023-05-09 08:12:27 UTC

*** Bug 2196331 has been marked as a duplicate of this bug. ***

Comment 18 Zdenek Pytela 2023-05-18 09:27:07 UTC

*** Bug 2208208 has been marked as a duplicate of this bug. ***

Comment 19 Zdenek Pytela 2023-05-26 16:08:58 UTC

*** Bug 2210328 has been marked as a duplicate of this bug. ***

Comment 20 Zdenek Pytela 2023-05-29 07:16:09 UTC

*** Bug 2210523 has been marked as a duplicate of this bug. ***

Comment 21 Zdenek Pytela 2023-06-01 15:36:43 UTC

*** Bug 2211646 has been marked as a duplicate of this bug. ***

Comment 22 Zdenek Pytela 2023-07-24 12:58:45 UTC

*** Bug 2225082 has been marked as a duplicate of this bug. ***

Comment 23 Zdenek Pytela 2023-08-01 09:37:48 UTC

*** Bug 2228059 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.

ahw609
augenauf
dcbw
dev
dwalsh
fedora
kevinleroy
lkundrak
lvrabec
max
me
michael.scheiffler
michal.vesely
mmalik
mrsam
omosnacek
pkoncity
ramonmoraes8080
sanjay.ankur
sbonazzo
scroolik
strasharo2000
vmojzis
vondruch
winq2008
zpytela