Bug 1266068

Summary: hostapd won't start via Systemd, selinux errors
Product: [Fedora] Fedora Reporter: Michael <bugs>
Component: selinux-policyAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 23CC: atiqsbu, codonell, dominick.grift, dwalsh, fedora, goeran, ivan.afonichev, jokatzer, linville, lvrabec, mgrepl, negativo17, plautrba, thomas, zimon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-157.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-13 04:22:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael 2015-09-24 12:15:29 UTC
Description of problem:

I configured hostapd. It starts fine in a terminal (hostapd /etc/hostapd/hostapd.conf). However, it won't start with systemctl start hostapd.

Version-Release number of selected component (if applicable):

Fedora 23 Beta with all updates as of sep. 24th 2015

---

cat /etc/hostapd/hostapd.conf

ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

interface=wlp0s29u1u7
driver=nl80211
ssid=mywlan
wpa=2  
wpa_passphrase=geheim1234
wpa_key_mgmt=WPA-PSK
hw_mode=g
channel=6
country_code=DE  

---

wlp0s29u1u7 = device for USB WLAN adaptor

---

sealert -l 342463bf-a962-45ce-9f77-18e04fccb3fd

SELinux is preventing hostapd from bind access on the netlink_generic_socket Unknown.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hostapd should be allowed bind access on the Unknown netlink_generic_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep hostapd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:hostapd_t:s0
Target Context                system_u:system_r:hostapd_t:s0
Target Objects                Unknown [ netlink_generic_socket ]
Source                        hostapd
Source Path                   hostapd
Port                          <Unknown>
Host                          fedora23
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-147.fc23.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     fedora23
Platform                      Linux fedora23 4.2.1-300.fc23.x86_64 #1 SMP Mon
                              Sep 21 22:13:13 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-09-24 14:09:14 CEST
Last Seen                     2015-09-24 14:09:14 CEST
Local ID                      342463bf-a962-45ce-9f77-18e04fccb3fd

Raw Audit Messages
type=AVC msg=audit(1443096554.422:712): avc:  denied  { bind } for  pid=2553 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1


Hash: hostapd,hostapd_t,hostapd_t,netlink_generic_socket,bind

Comment 1 John W. Linville 2015-09-24 14:57:29 UTC
This seems like expected hostapd behavior.  I'm not sure why selinux would suddenly care...?

Comment 2 Göran Uddeborg 2015-10-12 18:35:27 UTC
After having had hostapd disabled for a while, I also see this when I reenabled it.  (There have probably been updates in between.  I'm using the same policy as Michael.)  Switching to Permissive mode, I see four AVC types, listed below.

Could there have been something that went wrong in some selinux update?

time->Mon Oct 12 20:05:31 2015
type=PROCTITLE msg=audit(1444673131.752:2131): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42
type=SYSCALL msg=audit(1444673131.752:2131): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80003 a2=10 a3=57 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(1444673131.752:2131): avc:  denied  { create } for  pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1
----
time->Mon Oct 12 20:05:31 2015
type=PROCTITLE msg=audit(1444673131.752:2132): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42
type=SYSCALL msg=audit(1444673131.752:2132): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=7 a3=7ffc8d74d6c8 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(1444673131.752:2132): avc:  denied  { setopt } for  pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1
----
time->Mon Oct 12 20:05:31 2015
type=PROCTITLE msg=audit(1444673131.752:2133): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42
type=SYSCALL msg=audit(1444673131.752:2133): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=20b8010 a2=c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(1444673131.752:2133): avc:  denied  { bind } for  pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1
----
time->Mon Oct 12 20:05:31 2015
type=PROCTITLE msg=audit(1444673131.752:2134): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42
type=SYSCALL msg=audit(1444673131.752:2134): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7ffc8d74d750 a2=7ffc8d74d74c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(1444673131.752:2134): avc:  denied  { getattr } for  pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1

Comment 3 Göran Uddeborg 2015-10-13 19:00:21 UTC
After moving back to enforcing mode again, I found that hostapd actually read and write the socket too (surprise!).  Those calls were apparently "dontaudited", but the denials still prevented hostapd from working properly in an enforcing environment.

But after having made a little module with this rule

allow hostapd_t hostapd_t:netlink_generic_socket
      { create setopt bind getattr read write };

I'm again able to connect and use the net.

Comment 4 Van de Bugger 2015-10-18 22:09:20 UTC
I have the same problem on Fedora 22.

Comment 5 syncsrc 2015-10-21 17:31:53 UTC
Also seeing this problem on Fedora 22 after the latest kernel update. Problem manifests when using 4.2.3, but not 4.1.10

I've made no modifications to the SELinux policies in:
selinux-policy-3.13.1-128.13.fc22.noarch
selinux-policy-targeted-3.13.1-128.13.fc22.noarch

Comment 6 Carlos O'Donell 2015-11-17 08:17:43 UTC
(In reply to Göran Uddeborg from comment #3)
> After moving back to enforcing mode again, I found that hostapd actually
> read and write the socket too (surprise!).  Those calls were apparently
> "dontaudited", but the denials still prevented hostapd from working properly
> in an enforcing environment.
> 
> But after having made a little module with this rule
> 
> allow hostapd_t hostapd_t:netlink_generic_socket
>       { create setopt bind getattr read write };
> 
> I'm again able to connect and use the net.

Same problem on F22, and I also fixed it with a similar *.te file.

Comment 7 Carlos O'Donell 2015-11-17 08:18:59 UTC
*** Bug 1282179 has been marked as a duplicate of this bug. ***

Comment 8 Carlos O'Donell 2015-11-17 08:20:34 UTC
*** Bug 1278569 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2015-11-20 13:46:00 UTC
Thank you for testing.

Comment 10 Atiq 2015-11-21 20:47:30 UTC
I am having similar problem with fedora 22 x86, kernel-4.2.6-200

I have added all those permissions to selinux using semodule -i which solved the problem. However, still now,
# hostapd ./hostapd.conf

still works,

But, this fails,
# systemctl start hostapd

# journalctl -xe
hostapd[6313]: Configuration file: /etc/hostapd/hostapd.conf
hostapd[6313]: nl80211: 'nl80211' generic netlink not found
hostapd[6313]: Failed to initialize driver 'nl80211'
hostapd[6313]: wlp2s0: interface state UNINITIALIZED->DISABLED
hostapd[6313]: wlp2s0: AP-DISABLED
hostapd[6313]: hostapd_free_hapd_data: Interface wlp2s0 wasn't started
systemd[1]: hostapd.service: control process exited, code=exited status=1
systemd[1]: Failed to start Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator.

That is weird. More documentation: http://tech.saoslab.com/post/2015/11/20/fedora-22-setting-up-hostapd-to-create-hotspot

Comment 11 Vit Mojzis 2015-11-25 17:01:43 UTC
*** Bug 1273570 has been marked as a duplicate of this bug. ***

Comment 12 Vit Mojzis 2015-11-25 17:54:08 UTC
https://github.com/fedora-selinux/selinux-policy/pull/72

commit 4f53dcad5aff19e8b8857ae46e6f9279d43ef50c
Author: Vit Mojzis <vmojzis>
Date:   Wed Nov 25 18:21:03 2015 +0100

    Allow hostapd to create netlink_generic_socket.
    New AVC after kernel update. #1266068

Comment 13 Fedora Update System 2015-12-09 13:37:52 UTC
selinux-policy-3.13.1-157.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0

Comment 14 Fedora Update System 2015-12-10 04:54:58 UTC
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
$ su -c 'dnf --enablerepo=updates-testing update selinux-policy'
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0

Comment 15 Fedora Update System 2015-12-13 04:22:00 UTC
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.