Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1961571

Summary: SELinux prevents WWAN ports being accessed (Qualcomm SDX55)
Product: [Fedora] Fedora Reporter: Rhys Oxenham <roxenham>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 34CC: dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pbrobinson, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rhys Oxenham 2021-05-18 10:04:44 UTC 
Description of problem:

The default SELinux policy on Fedora 34 prevents the enumerated Qualcomm SDX55-based MBIM devices from being accessed by ModemManager (and likely other resources, or other devices that utilise MBIM).

Version-Release number of selected component (if applicable):

# rpm -qa | egrep '(kernel-5.13|ModemManager|mbim|qmi|selinux-policy)'
kernel-5.13.0-0.rc1.13.rdo.fc35.x86_64
libmbim-1.25.4-1.fc34.x86_64
libmbim-devel-1.25.4-1.fc34.x86_64
libmbim-utils-1.25.4-1.fc34.x86_64
ModemManager-glib-1.17.1-1.fc34.x86_64
ModemManager-1.17.1-1.fc34.x86_64
ModemManager-devel-1.17.1-1.fc34.x86_64
selinux-policy-34.7-1.fc34.noarch
selinux-policy-targeted-34.7-1.fc34.noarch
libqmi-1.29.5-2.fc34.x86_64
libqmi-utils-1.29.5-2.fc34.x86_64
libqmi-devel-1.29.5-2.fc34.x86_64

How reproducible:

Every time. I've got to disable SELinux to get it to work as expected.

Actual results:

Under SELinux permissive mode I've captured the audit logs to show which were denied:

type=AVC msg=audit(1621331844.977:1196): avc:  denied  { read write } for  pid=27570 comm="ModemManager" name="wwan0p1QCDM" dev="devtmpfs" ino=692 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1621331844.977:1197): avc:  denied  { open } for  pid=27570 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=692 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1621331844.977:1198): avc:  denied  { getattr } for  pid=27570 comm="pool-ModemManag" path="/dev/wwan0p2MBIM" dev="devtmpfs" ino=694 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1621331845.255:1199): avc:  denied  { ioctl } for  pid=27570 comm="ModemManager" path="/dev/wwan0p1QCDM" dev="devtmpfs" ino=692 ioctlcmd=0x5401 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1621331845.273:1200): avc:  denied  { connectto } for  pid=27570 comm="ModemManager" path=006D62696D2D70726F7879 scontext=system_u:system_r:modemmanager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1


Expected results:

SELinux policy allows ModemManager to access the MBIM/QCDM devices.
Comment 1 Zdenek Pytela 2021-05-18 13:24:15 UTC 
(In reply to Rhys Oxenham from comment #0)
> type=AVC msg=audit(1621331844.977:1196): avc:  denied  { read write } for 
> pid=27570 comm="ModemManager" name="wwan0p1QCDM" dev="devtmpfs" ino=692
> scontext=system_u:system_r:modemmanager_t:s0
> tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
These denials will be addressed by assigning proper label to the device, as a result allowing the access to all services which already had the permissions. The most tricky part is to understand how the filename is constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the same or can they change?

The problem is that while we can assign a default label in selinux-policy to filename with regular expressions, file transitions need to be enumerated unless the device label is handled by the driver itself.

> type=AVC msg=audit(1621331845.273:1200): avc:  denied  { connectto } for 
> pid=27570 comm="ModemManager" path=006D62696D2D70726F7879
> scontext=system_u:system_r:modemmanager_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket permissive=1
To understand this denial, we need to find out which service ModemManager communicates with: do you happen to know which service it is and how it was started? If it is still running, with this command we can find it?

ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t

> 
> 
> Expected results:
> 
> SELinux policy allows ModemManager to access the MBIM/QCDM devices.
Comment 2 Rhys Oxenham 2021-05-19 13:58:38 UTC 
(In reply to Zdenek Pytela from comment #1)

> > type=AVC msg=audit(1621331844.977:1196): avc:  denied  { read write } for 
> > pid=27570 comm="ModemManager" name="wwan0p1QCDM" dev="devtmpfs" ino=692
> > scontext=system_u:system_r:modemmanager_t:s0
> > tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1
> These denials will be addressed by assigning proper label to the device, as
> a result allowing the access to all services which already had the
> permissions. The most tricky part is to understand how the filename is
> constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the
> same or can they change?

That's a good question, unfortunately I can only answer it from my perspective and with my modem.

From what I can see, the kernel mhi subsystem adds in the wwan0pX ports, and the subports refer to different ways of interrogating the ports, e.g. p1 is QCDM format, and p2 is MBIM.

Whilst I don't have it listed, it's also possible of enabling standard "AT" serial interrogation of a device, so this would likely get listed as "wwan0p3AT"

Every reboot, *my* devices get enumerated in the same way, but I suspect it's entirely possible that other devices (or if you had >1 device) they would get enumerated in different ways.

> 
> The problem is that while we can assign a default label in selinux-policy to
> filename with regular expressions, file transitions need to be enumerated
> unless the device label is handled by the driver itself.
> 
> > type=AVC msg=audit(1621331845.273:1200): avc:  denied  { connectto } for 
> > pid=27570 comm="ModemManager" path=006D62696D2D70726F7879
> > scontext=system_u:system_r:modemmanager_t:s0
> > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tclass=unix_stream_socket permissive=1
> To understand this denial, we need to find out which service ModemManager
> communicates with: do you happen to know which service it is and how it was
> started? If it is still running, with this command we can find it?
> 
> ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t
> 

I *believe* that it's actually `mbim-proxy` in my case that interrogates the wwan0p2MBIM port from ModemManager.

Results from that command above, although I don't think they're particularly useful for you, note that I'm currently in permissive mode, not sure it matters-

% ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t
    PID    PPID COMMAND                     CONTEXT
   1872       1 /usr/lib/systemd/systemd -- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   1888    1863 sshd: rdo@pts/0             unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   1896    1888 -zsh                        unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   1953    1924 /usr/libexec/gdm-wayland-se unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   1962    1953 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2009    1872 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2010    1872 /usr/libexec/uresourced --u unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2012    1872 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2035    1872 /usr/bin/gnome-keyring-daem unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2053    1872 /usr/bin/gnome-shell        unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2119    1872 /usr/libexec/at-spi-bus-lau unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2139    2053 ibus-daemon --panel disable unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2142    1872 /usr/libexec/gvfsd          unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2147    1872 /usr/libexec/gvfsd-fuse /ru unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2149    2139 /usr/libexec/ibus-dconf     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2150    2139 /usr/libexec/ibus-extension unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2155    1872 /usr/libexec/ibus-portal    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2169    1872 /usr/libexec/xdg-permission unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2173    1872 /usr/libexec/gnome-shell-ca unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2179    1872 /usr/libexec/evolution-sour unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2183    1872 /usr/bin/pipewire           unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2184    1872 /usr/bin/pipewire-pulse     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2190    2183 /usr/bin/pipewire-media-ses unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2194    1872 /usr/libexec/goa-daemon     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2200    1872 /usr/libexec/evolution-cale unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2206    1872 /usr/libexec/gvfs-udisks2-v unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2215    1872 /usr/libexec/gvfs-mtp-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2221    1872 /usr/libexec/gvfs-gphoto2-v unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2232    1872 /usr/libexec/gvfs-goa-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2234    1872 /usr/libexec/dconf-service  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2243    1872 /usr/libexec/evolution-addr unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2253    1872 /usr/libexec/goa-identity-s unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2258    1872 /usr/libexec/gvfs-afc-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2279    1872 /usr/bin/gjs /usr/share/gno unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2280    1872 /usr/libexec/at-spi2-regist unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2298    1872 /usr/libexec/gsd-a11y-setti unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2299    1872 /usr/libexec/gsd-color      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2303    1872 /usr/libexec/gsd-datetime   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2307    1872 /usr/libexec/gsd-housekeepi unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2308    1872 /usr/libexec/gsd-keyboard   unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2310    1872 /usr/libexec/gsd-media-keys unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2315    1872 /usr/libexec/gsd-power      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2319    1872 /usr/libexec/gsd-print-noti unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2320    1872 /usr/libexec/gsd-rfkill     unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2324    1872 /usr/libexec/gsd-screensave unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2328    1872 /usr/libexec/gsd-sharing    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2329    1872 /usr/libexec/gsd-smartcard  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2332    1872 /usr/libexec/gsd-sound      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2336    1872 /usr/libexec/gsd-usb-protec unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2341    1872 /usr/libexec/gsd-wacom      unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2367    2012 /usr/libexec/evolution-data unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2371    2012 /usr/libexec/gsd-disk-utili unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2398    2012 /usr/bin/gnome-software --g unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2425    1872 /usr/bin/abrt-applet --gapp unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2426    1872 /usr/bin/gjs /usr/share/gno unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2473    2139 /usr/libexec/ibus-engine-si unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   2518    1872 /usr/libexec/gsd-printer    unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   3112    1896 ps -eo pid,ppid,command,con unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
   3113    1896 grep --color=auto -e CONTEX unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Comment 3 Peter Robinson 2021-05-19 14:15:09 UTC 
> > constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the
> > same or can they change?
> From what I can see, the kernel mhi subsystem adds in the wwan0pX ports, and
> the subports refer to different ways of interrogating the ports, e.g. p1 is
> QCDM format, and p2 is MBIM.

I suspect it's the new WWAN kernel interface that adds these:
https://cateee.net/lkddb/web-lkddb/WWAN.html

It will be wwanXpY where X is the device, and most of the devices have a bunch of ports for things like control, IP, location etc.

> > ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t
> > 
> 
> I *believe* that it's actually `mbim-proxy` in my case that interrogates the
> wwan0p2MBIM port from ModemManager.

Could also be qmi-proxy