Summary: SELinux is preventing /usr/sbin/modem-manager "sys_admin" access. Detailed Description: SELinux denied access requested by modem-manager. It is not expected that this access is required by modem-manager and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:modemmanager_t:s0-s0:c0.c1023 Target Context system_u:system_r:modemmanager_t:s0-s0:c0.c1023 Target Objects None [ capability ] Source modem-manager Source Path /usr/sbin/modem-manager Port <Unknown> Host (removed) Source RPM Packages ModemManager-0.2-3.20090826.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-46.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.i686 #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 Alert Count 6 First Seen Tue 24 Nov 2009 08:06:57 PM IST Last Seen Wed 25 Nov 2009 02:57:09 PM IST Local ID c94f656c-1635-49b1-8823-aae2d2c0c985 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1259141229.68:8): avc: denied { sys_admin } for pid=1422 comm="modem-manager" capability=21 scontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 tclass=capability node=(removed) type=SYSCALL msg=audit(1259141229.68:8): arch=40000003 syscall=5 success=no exit=-19 a0=91b30c0 a1=982 a2=80633e0 a3=91b5198 items=0 ppid=1 pid=1422 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modem-manager" exe="/usr/sbin/modem-manager" subj=system_u:system_r:modemmanager_t:s0-s0:c0.c1023 key=(null) Hash String generated from selinux-policy-3.6.32-46.fc12,catchall,modem-manager,modemmanager_t,modemmanager_t,capability,sys_admin audit2allow suggests: #============= modemmanager_t ============== allow modemmanager_t self:capability sys_admin;
You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.6.32-50.fc12.noarch
What is sys_admin? Seems a bit coarse as a context.
sys_admin is the catchall capability. Not really an SELinux thing. * Allow configuration of the secure attention key * Allow administration of the random device * Allow examination and configuration of disk quotas * Allow configuring the kernel's syslog (printk behaviour) * Allow setting the domainname * Allow setting the hostname * Allow calling bdflush() * Allow mount() and umount(), setting up new smb connection * Allow some autofs root ioctls * Allow nfsservctl * Allow VM86_REQUEST_IRQ * Allow to read/write pci config on alpha * Allow irix_prctl on mips (setstacksize) * Allow flushing all cache on m68k (sys_cacheflush) * Allow removing semaphores (Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory) * Allow locking/unlocking of shared memory segment * Allow turning swap on/off * Allow forged pids on socket credentials passing * Allow setting readahead and flushing buffers on block devices * Allow setting geometry in floppy driver * Allow turning DMA on/off in xd driver * Allow administration of md devices (mostly the above, but some extra ioctls) * Allow tuning the ide driver * Allow access to the nvram device * Allow administration of apm_bios, serial and bttv (TV) device * Allow manufacturer commands in isdn CAPI support driver * Allow reading non-standardized portions of pci configuration space * Allow DDI debug ioctl on sbpcd driver * Allow setting up serial ports * Allow sending raw qic-117 commands * Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands * Allow setting encryption key on loopback filesystem * Allow setting zone reclaim policy
selinux-policy-3.6.32-52.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-52.fc12
selinux-policy-3.6.32-52.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12549
selinux-policy-3.6.32-55.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-55.fc12
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12650
selinux-policy-3.6.32-55.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.