Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-86176

Selinux: ModemManager AVCs on RHEL10

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • rhel-10.1
    • rhel-10.0
    • selinux-policy
    • None
    • selinux-policy-40.13.31-1.el10
    • No
    • Low
    • rhel-security-selinux
    • ssg_security
    • 1
    • 13
    • 1
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • SELINUX 250604: 7
    • Release Note Not Required
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      When executing gsm_sim tests from NetworkManager-ci, AVCs below are found on RHEL10.0 (not seen in RHEL9). Doing execmem should be avoided.

      Affected Versions:

      selinux-policy-40.13.26-1.el10.noarch
      ModemManager-1.22.0-7.el10.x86_64

       

      type=PROCTITLE msg=audit(03/24/25 19:46:00.889:33681) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(03/24/25 19:46:00.889:33681) : arch=x86_64 syscall=mmap success=yes exit=139655055851520 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=717336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(03/24/25 19:46:00.889:33681) : avc: denied { execmem } for pid=717336 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1
type=PROCTITLE msg=audit(03/24/25 19:46:23.070:33687) : proctitle=/usr/sbin/ModemManager 
type=SYSCALL msg=audit(03/24/25 19:46:23.070:33687) : arch=x86_64 syscall=mmap success=yes exit=139655055917056 a0=0x0 a1=0x10000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_ANONYMOUS items=0 ppid=1 pid=717336 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=ModemManager exe=/usr/sbin/ModemManager subj=system_u:system_r:modemmanager_t:s0 key=(null) 
type=AVC msg=audit(03/24/25 19:46:23.070:33687) : avc: denied { execmem } for pid=717336 comm=ModemManager scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:modemmanager_t:s0 tclass=process permissive=1
 

       

      update: this should not happen and should be fixed in ModemManager

              rhn-support-zpytela Zdenek Pytela
              rhn-support-fpokryvk Filip Pokryvka
              Zdenek Pytela Zdenek Pytela
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated:
                Resolved: