Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1961571
Summary: | SELinux prevents WWAN ports being accessed (Qualcomm SDX55) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Rhys Oxenham <roxenham> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | NEW --- | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 34 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pbrobinson, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Triaged |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | Type: | Bug | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rhys Oxenham
2021-05-18 10:04:44 UTC
(In reply to Rhys Oxenham from comment #0) > type=AVC msg=audit(1621331844.977:1196): avc: denied { read write } for > pid=27570 comm="ModemManager" name="wwan0p1QCDM" dev="devtmpfs" ino=692 > scontext=system_u:system_r:modemmanager_t:s0 > tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 These denials will be addressed by assigning proper label to the device, as a result allowing the access to all services which already had the permissions. The most tricky part is to understand how the filename is constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the same or can they change? The problem is that while we can assign a default label in selinux-policy to filename with regular expressions, file transitions need to be enumerated unless the device label is handled by the driver itself. > type=AVC msg=audit(1621331845.273:1200): avc: denied { connectto } for > pid=27570 comm="ModemManager" path=006D62696D2D70726F7879 > scontext=system_u:system_r:modemmanager_t:s0 > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tclass=unix_stream_socket permissive=1 To understand this denial, we need to find out which service ModemManager communicates with: do you happen to know which service it is and how it was started? If it is still running, with this command we can find it? ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t > > > Expected results: > > SELinux policy allows ModemManager to access the MBIM/QCDM devices. (In reply to Zdenek Pytela from comment #1) > > type=AVC msg=audit(1621331844.977:1196): avc: denied { read write } for > > pid=27570 comm="ModemManager" name="wwan0p1QCDM" dev="devtmpfs" ino=692 > > scontext=system_u:system_r:modemmanager_t:s0 > > tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=1 > These denials will be addressed by assigning proper label to the device, as > a result allowing the access to all services which already had the > permissions. The most tricky part is to understand how the filename is > constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the > same or can they change? That's a good question, unfortunately I can only answer it from my perspective and with my modem. From what I can see, the kernel mhi subsystem adds in the wwan0pX ports, and the subports refer to different ways of interrogating the ports, e.g. p1 is QCDM format, and p2 is MBIM. Whilst I don't have it listed, it's also possible of enabling standard "AT" serial interrogation of a device, so this would likely get listed as "wwan0p3AT" Every reboot, *my* devices get enumerated in the same way, but I suspect it's entirely possible that other devices (or if you had >1 device) they would get enumerated in different ways. > > The problem is that while we can assign a default label in selinux-policy to > filename with regular expressions, file transitions need to be enumerated > unless the device label is handled by the driver itself. > > > type=AVC msg=audit(1621331845.273:1200): avc: denied { connectto } for > > pid=27570 comm="ModemManager" path=006D62696D2D70726F7879 > > scontext=system_u:system_r:modemmanager_t:s0 > > tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > tclass=unix_stream_socket permissive=1 > To understand this denial, we need to find out which service ModemManager > communicates with: do you happen to know which service it is and how it was > started? If it is still running, with this command we can find it? > > ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t > I *believe* that it's actually `mbim-proxy` in my case that interrogates the wwan0p2MBIM port from ModemManager. Results from that command above, although I don't think they're particularly useful for you, note that I'm currently in permissive mode, not sure it matters- % ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t PID PPID COMMAND CONTEXT 1872 1 /usr/lib/systemd/systemd -- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1888 1863 sshd: rdo@pts/0 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1896 1888 -zsh unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1953 1924 /usr/libexec/gdm-wayland-se unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1962 1953 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2009 1872 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2010 1872 /usr/libexec/uresourced --u unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2012 1872 /usr/libexec/gnome-session- unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2035 1872 /usr/bin/gnome-keyring-daem unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2053 1872 /usr/bin/gnome-shell unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2119 1872 /usr/libexec/at-spi-bus-lau unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2139 2053 ibus-daemon --panel disable unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2142 1872 /usr/libexec/gvfsd unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2147 1872 /usr/libexec/gvfsd-fuse /ru unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2149 2139 /usr/libexec/ibus-dconf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2150 2139 /usr/libexec/ibus-extension unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2155 1872 /usr/libexec/ibus-portal unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2169 1872 /usr/libexec/xdg-permission unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2173 1872 /usr/libexec/gnome-shell-ca unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2179 1872 /usr/libexec/evolution-sour unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2183 1872 /usr/bin/pipewire unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2184 1872 /usr/bin/pipewire-pulse unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2190 2183 /usr/bin/pipewire-media-ses unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2194 1872 /usr/libexec/goa-daemon unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2200 1872 /usr/libexec/evolution-cale unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2206 1872 /usr/libexec/gvfs-udisks2-v unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2215 1872 /usr/libexec/gvfs-mtp-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2221 1872 /usr/libexec/gvfs-gphoto2-v unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2232 1872 /usr/libexec/gvfs-goa-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2234 1872 /usr/libexec/dconf-service unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2243 1872 /usr/libexec/evolution-addr unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2253 1872 /usr/libexec/goa-identity-s unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2258 1872 /usr/libexec/gvfs-afc-volum unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2279 1872 /usr/bin/gjs /usr/share/gno unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2280 1872 /usr/libexec/at-spi2-regist unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2298 1872 /usr/libexec/gsd-a11y-setti unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2299 1872 /usr/libexec/gsd-color unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2303 1872 /usr/libexec/gsd-datetime unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2307 1872 /usr/libexec/gsd-housekeepi unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2308 1872 /usr/libexec/gsd-keyboard unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2310 1872 /usr/libexec/gsd-media-keys unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2315 1872 /usr/libexec/gsd-power unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2319 1872 /usr/libexec/gsd-print-noti unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2320 1872 /usr/libexec/gsd-rfkill unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2324 1872 /usr/libexec/gsd-screensave unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2328 1872 /usr/libexec/gsd-sharing unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2329 1872 /usr/libexec/gsd-smartcard unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2332 1872 /usr/libexec/gsd-sound unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2336 1872 /usr/libexec/gsd-usb-protec unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2341 1872 /usr/libexec/gsd-wacom unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2367 2012 /usr/libexec/evolution-data unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2371 2012 /usr/libexec/gsd-disk-utili unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2398 2012 /usr/bin/gnome-software --g unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2425 1872 /usr/bin/abrt-applet --gapp unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2426 1872 /usr/bin/gjs /usr/share/gno unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2473 2139 /usr/libexec/ibus-engine-si unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 2518 1872 /usr/libexec/gsd-printer unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3112 1896 ps -eo pid,ppid,command,con unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 3113 1896 grep --color=auto -e CONTEX unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > constructed. Will the filenames wwan0p1QCDM and wwan0p2MBIM always be the > > same or can they change? > From what I can see, the kernel mhi subsystem adds in the wwan0pX ports, and > the subports refer to different ways of interrogating the ports, e.g. p1 is > QCDM format, and p2 is MBIM. I suspect it's the new WWAN kernel interface that adds these: https://cateee.net/lkddb/web-lkddb/WWAN.html It will be wwanXpY where X is the device, and most of the devices have a bunch of ports for things like control, IP, location etc. > > ps -eo pid,ppid,command,context | grep -e CONTEXT -e unconfined_t > > > > I *believe* that it's actually `mbim-proxy` in my case that interrogates the > wwan0p2MBIM port from ModemManager. Could also be qmi-proxy |