Selinux prevents ModemManager from writing to /sys
Environment
- Red Hat Enterprise Linux (RHEL) 7.6
- ModemManager-1.6.10-1.2.el7_6.x86_64
- selinux-policy-3.13.1-229.el7_6.6.noarch
Issue
We experience frequent ModemManager disconnections.
Corresponding AVCs are:
type=AVC msg=audit(1550042869.23:7403): avc: denied { write }
for pid=3806 comm="ModemManager" name="raw_ip" dev="sysfs" ino=24577
scontext=system_u:system_r:modemmanager_t:s0
tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1550042869.23:7403): arch=x86_64 syscall=open
success=yes exit=EAGAIN a0=5624b89fd130 a1=241 a2=1b6 a3=24 items=0
ppid=1 pid=3806 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=ModemManager
exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0
key=(null)
Resolution
Update to selinux-policy-3.13.1-229.el7_6.12 shipped with Advisory RHBA-2019:0811 or newer.
Root Cause
Before the fix ModemManager was allowed only to read from sysfs. Now ModemManager has the correct rw permissions.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments