Selinux prevents ModemManager from writing to /sys

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL) 7.6
  • ModemManager-1.6.10-1.2.el7_6.x86_64
  • selinux-policy-3.13.1-229.el7_6.6.noarch

Issue

We experience frequent ModemManager disconnections.

Corresponding AVCs are:

type=AVC msg=audit(1550042869.23:7403): avc:  denied  { write }
for  pid=3806 comm="ModemManager" name="raw_ip" dev="sysfs" ino=24577
scontext=system_u:system_r:modemmanager_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1


type=SYSCALL msg=audit(1550042869.23:7403): arch=x86_64 syscall=open
success=yes exit=EAGAIN a0=5624b89fd130 a1=241 a2=1b6 a3=24 items=0
ppid=1 pid=3806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager
exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0
key=(null)

Resolution

Update to selinux-policy-3.13.1-229.el7_6.12 shipped with Advisory RHBA-2019:0811 or newer.

Root Cause

Before the fix ModemManager was allowed only to read from sysfs. Now ModemManager has the correct rw permissions.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.