[Bug 1219363] New: [SELinux] AVC denial execmem ModemManager
https://bugzilla.suse.com/show_bug.cgi?id=1219363 Bug ID: 1219363 Summary: [SELinux] AVC denial execmem ModemManager Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mcepl@suse.com QA Contact: qa-bugs@suse.de Target Milestone: --- Found By: --- Blocker: --- Just what I found in ausearch -m AVC output: mitmanek:~ # ausearch -m AVC -ts boot |grep ModemManager type=AVC msg=audit(1706651142.962:84): avc: denied { execmem } for pid=1618 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 type=AVC msg=audit(1706651143.909:85): avc: denied { execmem } for pid=1618 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 I don’t use ModemManager for anything, so I cannot test whether anything actually changed with functionality. openSUSE/Tumbleweed and mitmanek:~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: permissive Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 mitmanek:~ # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c1 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |jsegitz@suse.com --- Comment #1 from Johannes Segitz <jsegitz@suse.com> --- I'll have a look, thanks for the report -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c2 --- Comment #2 from Johannes Segitz <jsegitz@suse.com> --- so I played a bit with ModemManager, but I don't see the AVC. Can you please share details about your network setup? Also: When do you see this AVC? During startup? When you restart the network? Thanks -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c3 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mcepl@suse.com Flags| |needinfo?(mcepl@suse.com) --- Comment #3 from Johannes Segitz <jsegitz@suse.com> --- I need additional information please, otherwise I can't fix this -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c4 Matej Cepl <mcepl@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mcepl@suse.com) | --- Comment #4 from Matej Cepl <mcepl@suse.com> --- (In reply to Johannes Segitz from comment #2)
so I played a bit with ModemManager, but I don't see the AVC. Can you please share details about your network setup? Also: When do you see this AVC? During startup? When you restart the network? Thanks
Sorry, I was at FOSDEM, and now I have holidays. My computer is connected to the network via Ethernet cable and via wifi. I don’t think I use anything which would require ModemManager. I see it after setup when checking AVCs (because of otherwise broken system, but I think that is without relationship to SELinux). -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c5 --- Comment #5 from Matej Cepl <mcepl@suse.com> --- (In reply to Matej Cepl from comment #4)
I see it after setup when checking AVCs (because of otherwise broken system, but I think that is without relationship to SELinux).
BTW, yes I have fixed my system, and it had nothing to do with SELinux (gh#containers/podman#18514; who thought that this brittle system should be the foundation of everything is crazy). And yes, I see this still around: mitmanek:~ # ausearch -m AVC -ts boot ---- time->Sun Feb 18 08:47:43 2024 type=AVC msg=audit(1708242463.365:43): avc: denied { execmem } for pid=1240 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 ---- time->Sun Feb 18 14:32:13 2024 type=AVC msg=audit(1708263133.709:117): avc: denied { execmem } for pid=1240 comm="ModemManager" scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1 ---- time->Wed Feb 21 10:01:32 2024 type=AVC msg=audit(1708506092.952:5232): avc: denied { nlmsg_read } for pid=23343 comm="ss" scontext=system_u:system_r:container_t:s0:c307,c487 tcontext=system_u:system_r:container_t:s0:c307,c487 tclass=netlink_tcpdiag_socket permissive=1 mitmanek:~ # -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c6 --- Comment #6 from Johannes Segitz <jsegitz@suse.com> --- hm, can you based on the timestamp identify when this is happening? E.g. is this happening then the service starts? Or when you log into you desktop environment? In the first case: Can you re-trigger the AVC by restarting the service? In the second case: an you re-trigger the AVC by logging out of you GUI and then back in? Without me being able to reproduce it this is unfortunately going to be a bit tedious. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c7 --- Comment #7 from Matej Cepl <mcepl@suse.com> --- (In reply to Johannes Segitz from comment #6)
hm, can you based on the timestamp identify when this is happening? E.g. is this happening then the service starts? Or when you log into you desktop environment?
9 seconds after the beginning of the boot, so I guess somewhere during the boot process. systemctl status says: ● ModemManager.service - Modem Manager Loaded: loaded (/usr/lib/systemd/system/ModemManager.service; enabled; preset: enabled) Active: active (running) since Wed 2024-02-28 18:47:25 CET; 2 days ago Main PID: 1209 (ModemManager) Tasks: 4 (limit: 4915) CPU: 341ms CGroup: /system.slice/ModemManager.service └─1209 /usr/sbin/ModemManager úno 28 18:47:25 mitmanek.cepl.eu systemd[1]: Started Modem Manager. úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:08.3/0000:34:00.4/usb10/10-1/10-1.1': not > úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <info> [device /sys/devices/pci0000:00/0000:00:08.1/0000:33:00.3/usb1/1-4] creating modem with plugin 'quectel' and '3' ports úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <warn> [plugin/quectel] could not grab port cdc-wdm0: Cannot add port 'usbmisc/cdc-wdm0', unhandled port type úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <info> [base-manager] modem for device '/sys/devices/pci0000:00/0000:00:08.1/0000:33:00.3/usb1/1-4' successfully created úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <info> [modem0] state changed (unknown -> locked) úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <warn> [modem0] modem couldn't be initialized: Couldn't check unlock status: SIM not inserted úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <info> [modem0] state changed (locked -> failed) úno 28 18:47:28 mitmanek.cepl.eu ModemManager[1209]: <warn> [modem0] error initializing: Modem in failed state: sim-missing úno 28 18:47:29 mitmanek.cepl.eu ModemManager[1209]: <info> [base-manager] couldn't check support for device '/sys/devices/pci0000:00/0000:00:02.2/0000:01:00.0': not supported by any p>
In the first case: Can you re-trigger the AVC by restarting the service? In the second case: an you re-trigger the AVC by logging out of you GUI and then back in?
Let me check it and write next comment. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c8 --- Comment #8 from Matej Cepl <mcepl@suse.com> --- It is apparently a system level service, logging out of the sway doesn't change the start when it was run. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c9 --- Comment #9 from Matej Cepl <mcepl@suse.com> --- Logging out of the window manager doesn't change anything, but when I now use laptop as a laptop, out of the docking station, it happens on every resume from suspendend state. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c10 --- Comment #10 from Johannes Segitz <jsegitz@suse.com> --- okay I think I know why this doesn't happen. Your laptop has a modem, my VM doesn't. I try to attach something to the VM to trigger the behavior -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c11 --- Comment #11 from Johannes Segitz <jsegitz@suse.com> --- and I can reproduce it :) I'll try to figure out if it's necessary or not. execmem isn't something I'd like to grant -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c12 --- Comment #12 from Matej Cepl <mcepl@suse.com> --- Is https://bugzilla.redhat.com/show_bug.cgi?id=2149946 the same? -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c13 --- Comment #13 from Johannes Segitz <jsegitz@suse.com> --- yes, it's the same. Found that also, but it doesn't contain a solution. It's not easy to debug due to the multithreaded design. If you run it without udev/audo device discovery this doesn't happen -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c14 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED --- Comment #14 from Johannes Segitz <jsegitz@suse.com> --- it's the regexp parser in glib. Probably some optimization, I'll dig a bit deeper -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c15 --- Comment #15 from Johannes Segitz <jsegitz@suse.com> --- it's the JIT. If this is disabled performance is a bit worse, but nothing else. I'll dontaudit this -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c16 --- Comment #16 from Johannes Segitz <jsegitz@suse.com> --- I just merged this in our git. As this has no ill effects we'll just take this with the next policy update -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1219363 https://bugzilla.suse.com/show_bug.cgi?id=1219363#c19 Johannes Segitz <jsegitz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|CONFIRMED |RESOLVED --- Comment #19 from Johannes Segitz <jsegitz@suse.com> --- part of current policy -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com