Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 710292

Summary: setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module
Product: Red Hat Enterprise Linux 6 Reporter: Natxo Asenjo <natxo>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Karel Srot <ksrot>
Severity: high Docs Contact:
Priority: high    
Version: 6.0CC: dwalsh, jhunt, ksrot, mmalik, syeghiay
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-96.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-06 10:08:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Natxo Asenjo 2011-06-02 22:18:14 UTC 
Description of problem:

selinux 'panicks' (and made me panick) when laptop resumes from suspended mode.

I read this log: 
Jun  2 19:57:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e

If you run the sealer command, you get a very nasty looking warning that the system has been compromised.

In fact, this is what has happened: this system is a laptop with a builtin broadband modem. I closed the laptop lid, so it suspended. When I reopened its lid, it reactivated and the network devices (wifi, 3g modem, etc) woke up. This is a piece of thelog:

Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) scheduled...
Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 4 of 5 (IP4 Configure Get) complete.
Jun  2 19:57:31 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) started...
Jun  2 19:57:31 host dhclient: bound to 192.168.0.10 -- renewal in 34580 seconds.
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.1: ttyACM0: USB ACM device
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.3: ttyACM1: USB ACM device
Jun  2 19:57:31 host kernel: cdc_wdm 2-6:1.5: cdc-wdm0: USB WDM device
Jun  2 19:57:31 host kernel: cdc_wdm 2-6:1.6: cdc-wdm1: USB WDM device
Jun  2 19:57:31 host kernel: usb0: register 'cdc_ether' at usb-0000:00:1d.7-6, CDC Ethernet Device, 02:80:37:ec:02:00
Jun  2 19:57:31 host kernel: cdc_acm 2-6:1.9: ttyACM2: USB ACM device
Jun  2 19:57:31 host modem-manager: (Ericsson MBM): GSM modem /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6 claimed port usb0
Jun  2 19:57:31 host modem-manager: (ttyACM1) opening serial device...
Jun  2 19:57:31 host modem-manager: (ttyACM2) opening serial device...
Jun  2 19:57:31 host modem-manager: (ttyACM0) opening serial device...
Jun  2 19:57:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e

As you see the message comes right after the wifi nic gets an ip
address. Then the modem driver gets loaded.

I am quite confident the system has not been compromised, although
everything is possible. The firewall is on, no services are running.

Version-Release number of selected component (if applicable):


How reproducible:

I have not seen this behaviour before, grepping the messages log files
shows only this one message

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 2 Natxo Asenjo 2011-06-02 22:29:47 UTC 
I had the laptop suspend again, and again I go the message. So it looks reproducible:

Jun  3 00:23:28 host dhclient: bound to 192.168.0.10 -- renewal in 35854 seconds.
Jun  3 00:23:29 host kernel: usb 2-6: New USB device found, idVendor=413c, idProduct=8147
Jun  3 00:23:29 host kernel: usb 2-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Jun  3 00:23:29 host kernel: usb 2-6: Product: Dell Wireless 5530 HSPA Mobile Broadband Minicard Device
Jun  3 00:23:29 host kernel: usb 2-6: Manufacturer: Dell
Jun  3 00:23:29 host kernel: usb 2-6: SerialNumber: 3558620253014030
Jun  3 00:23:29 host kernel: usb 2-6: configuration #1 chosen from 2 choices
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.1: ttyACM0: USB ACM device
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.3: ttyACM1: USB ACM device
Jun  3 00:23:29 host kernel: cdc_wdm 2-6:1.5: cdc-wdm0: USB WDM device
Jun  3 00:23:29 host kernel: cdc_wdm 2-6:1.6: cdc-wdm1: USB WDM device
Jun  3 00:23:29 host kernel: usb0: register 'cdc_ether' at usb-0000:00:1d.7-6, CDC Ethernet Device, 02:80:37:ec:02:00
Jun  3 00:23:29 host kernel: cdc_acm 2-6:1.9: ttyACM2: USB ACM device
Jun  3 00:23:29 host modem-manager: (ttyACM1) opening serial device...
Jun  3 00:23:29 host modem-manager: (ttyACM2) opening serial device...
Jun  3 00:23:29 host modem-manager: (ttyACM0) opening serial device...
Jun  3 00:23:29 host modem-manager: (Ericsson MBM): GSM modem /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6 claimed port usb0
Jun  3 00:23:29 host NetworkManager[1529]: <info> (wlan0): device state change: 7 -> 8 (reason 0)
Jun  3 00:23:29 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:29 host NetworkManager[1529]: <info> Activation (wlan0) successful, device activated.
Jun  3 00:23:29 host NetworkManager[1529]: <info> Activation (wlan0) Stage 5 of 5 (IP Configure Commit) complete.
Jun  3 00:23:29 host NetworkManager[1529]: <error> [1307053409.968902] [nm-device-ethernet.c:729] real_update_permanent_hw_address(): (usb0): unable to read permanent 
MAC address (error 0)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier is OFF
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): new Ethernet device (driver: 'cdc_ether' ifindex: 7)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): exported as /org/freedesktop/NetworkManager/Devices/6
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): now managed
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 1 -> 2 (reason 2)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): bringing up device.
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): preparing device.
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): deactivating device (reason: 2).
Jun  3 00:23:29 host NetworkManager[1529]: <info> Added default wired connection 'Auto usb0' for /sys/devices/pci0000:00/0000:00:1d.7/usb2/2-6/2-6:1.7/net/usb0
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier now ON (device state 2)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 2 -> 3 (reason 40)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): carrier now OFF (device state 3)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): device state change: 3 -> 2 (reason 40)
Jun  3 00:23:29 host NetworkManager[1529]: <info> (usb0): deactivating device (reason: 40).
Jun  3 00:23:30 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:30 host NetworkManager[1529]: <info> Policy set 'Auto default' (wlan0) as default for IPv4 routing and DNS.
Jun  3 00:23:30 host NetworkManager[1529]: <info> Connection 'Auto usb0' auto-activation failed: (2) Device not managed by NetworkManager
Jun  3 00:23:30 host ntpd[21394]: ntpd exiting on signal 15
Jun  3 00:23:30 host ntpd_initres[21397]: parent died before we finished, exiting
Jun  3 00:23:30 host ntpd[21608]: ntpd 4.2.4p8 Wed Nov 24 19:02:17 UTC 2010 (1)
Jun  3 00:23:30 host ntpd[21609]: precision = 1.117 usec
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #0 wildcard, 0.0.0.0#123 Disabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #1 wildcard, ::#123 Disabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #2 lo, ::1#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #3 wlan0, fe80::224:d6ff:fe83:bbc2#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #4 lo, 127.0.0.1#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on interface #5 wlan0, 192.168.0.10#123 Enabled
Jun  3 00:23:30 host ntpd[21609]: Listening on routing socket on fd #22 for interface updates
Jun  3 00:23:30 host ntpd[21609]: kernel time sync status 2040
Jun  3 00:23:30 host ntpd[21609]: frequency initialized 0.711 PPM from /var/lib/ntp/drift
Jun  3 00:23:31 host setroubleshoot: Your system may be seriously compromised! /usr/sbin/wpa_supplicant (deleted) tried to load a kernel module. For complete SELinux messages. run sealert -l abe18b46-f4f7-46b4-bcd4-be8ed703073e
Comment 3 Jacob Hunt 2011-06-03 17:50:25 UTC 
This issue happens with this kernel:
kernel-2.6.32-71.29.1.el6.x86_64
If you revert back to the following kernel, the issue disappears:
kernel-2.6.32-71.18.2.el6.x86_64
Comment 4 Daniel Walsh 2011-06-03 20:37:54 UTC 
Yes we have to hack in some dontaudits because the kernel/userspace has never been fixed.

This looks like the latest policy has the fix.

selinux-policy-3.7.19-96.el6
Comment 10 errata-xmlrpc 2011-12-06 10:08:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1511.html