Bug 1266068
Summary: | hostapd won't start via Systemd, selinux errors | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael <bugs> |
Component: | selinux-policy | Assignee: | Vit Mojzis <vmojzis> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 23 | CC: | atiqsbu, codonell, dominick.grift, dwalsh, fedora, goeran, ivan.afonichev, jokatzer, linville, lvrabec, mgrepl, negativo17, plautrba, thomas, zimon |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.13.1-157.fc23 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-12-13 04:22:20 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael
2015-09-24 12:15:29 UTC
This seems like expected hostapd behavior. I'm not sure why selinux would suddenly care...? After having had hostapd disabled for a while, I also see this when I reenabled it. (There have probably been updates in between. I'm using the same policy as Michael.) Switching to Permissive mode, I see four AVC types, listed below. Could there have been something that went wrong in some selinux update? time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2131): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2131): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80003 a2=10 a3=57 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2131): avc: denied { create } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2132): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2132): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=7 a3=7ffc8d74d6c8 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2132): avc: denied { setopt } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2133): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2133): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=20b8010 a2=c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2133): avc: denied { bind } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2134): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2134): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7ffc8d74d750 a2=7ffc8d74d74c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2134): avc: denied { getattr } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 After moving back to enforcing mode again, I found that hostapd actually read and write the socket too (surprise!). Those calls were apparently "dontaudited", but the denials still prevented hostapd from working properly in an enforcing environment. But after having made a little module with this rule allow hostapd_t hostapd_t:netlink_generic_socket { create setopt bind getattr read write }; I'm again able to connect and use the net. I have the same problem on Fedora 22. Also seeing this problem on Fedora 22 after the latest kernel update. Problem manifests when using 4.2.3, but not 4.1.10 I've made no modifications to the SELinux policies in: selinux-policy-3.13.1-128.13.fc22.noarch selinux-policy-targeted-3.13.1-128.13.fc22.noarch (In reply to Göran Uddeborg from comment #3) > After moving back to enforcing mode again, I found that hostapd actually > read and write the socket too (surprise!). Those calls were apparently > "dontaudited", but the denials still prevented hostapd from working properly > in an enforcing environment. > > But after having made a little module with this rule > > allow hostapd_t hostapd_t:netlink_generic_socket > { create setopt bind getattr read write }; > > I'm again able to connect and use the net. Same problem on F22, and I also fixed it with a similar *.te file. *** Bug 1282179 has been marked as a duplicate of this bug. *** *** Bug 1278569 has been marked as a duplicate of this bug. *** Thank you for testing. I am having similar problem with fedora 22 x86, kernel-4.2.6-200 I have added all those permissions to selinux using semodule -i which solved the problem. However, still now, # hostapd ./hostapd.conf still works, But, this fails, # systemctl start hostapd # journalctl -xe hostapd[6313]: Configuration file: /etc/hostapd/hostapd.conf hostapd[6313]: nl80211: 'nl80211' generic netlink not found hostapd[6313]: Failed to initialize driver 'nl80211' hostapd[6313]: wlp2s0: interface state UNINITIALIZED->DISABLED hostapd[6313]: wlp2s0: AP-DISABLED hostapd[6313]: hostapd_free_hapd_data: Interface wlp2s0 wasn't started systemd[1]: hostapd.service: control process exited, code=exited status=1 systemd[1]: Failed to start Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator. That is weird. More documentation: http://tech.saoslab.com/post/2015/11/20/fedora-22-setting-up-hostapd-to-create-hotspot *** Bug 1273570 has been marked as a duplicate of this bug. *** https://github.com/fedora-selinux/selinux-policy/pull/72 commit 4f53dcad5aff19e8b8857ae46e6f9279d43ef50c Author: Vit Mojzis <vmojzis> Date: Wed Nov 25 18:21:03 2015 +0100 Allow hostapd to create netlink_generic_socket. New AVC after kernel update. #1266068 selinux-policy-3.13.1-157.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0 selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0 selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. |