Bug 1977676

Summary:	SELinux prevents the hostapd from binding to DHCP port
Product:	Red Hat Enterprise Linux 8	Reporter:	Filip Pokryvka <fpokryvk>
Component:	selinux-policy	Assignee:	Zdenek Pytela <zpytela>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	medium
Version:	8.5	CC:	brdeoliv, lvrabec, mmalik, plautrba, ssekidde
Target Milestone:	beta	Keywords:	Triaged
Target Release:	8.5	Flags:	pm-rhel: mirror+
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.14.3-75.el8	Doc Type:	No Doc Update
Doc Text:		Story Points:	---
Clone Of:
Clones:	1979968 (view as bug list)		Environment:
Last Closed:	2021-11-09 19:43:34 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1979968

Description Filip Pokryvka 2021-06-30 09:14:50 UTC

Description of problem:
NetworkManager-ci configures hostapd and the tests started to fail since RHEL8.5 (tests worked before).

Denied audit messages:
type=AVC msg=audit(1625040334.828:154): avc:  denied  { name_bind } for  pid=3772 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1625040402.016:190): avc:  denied  { name_bind } for  pid=4370 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1625040575.909:204): avc:  denied  { name_bind } for  pid=4652 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1625040575.909:204): avc:  denied  { net_bind_service } for  pid=4652 comm="hostapd" capability=10  scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-67.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. clone NetworkManager-ci repo from https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/
2. checkout this commit: b7b0f9f1c3ba42f15fd7c6f31cb504ec0dd5347e
3. bash prepare/hostapd_wired.sh tmp/8021x/certs/

Actual results:
hostapd fails to start (selinux)

Expected results:
hostapd should start

Additional info:
step 2 is required because we compiled custom selinux module as workaround.

Comment 1 Milos Malik 2021-06-30 17:55:12 UTC

There is only 1 SELinux denial in enforcing mode:
----
type=PROCTITLE msg=audit(06/30/2021 13:52:15.468:343) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf 
type=SOCKADDR msg=audit(06/30/2021 13:52:15.468:343) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } 
type=SYSCALL msg=audit(06/30/2021 13:52:15.468:343) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7fffba09d9c0 a2=0x10 a3=0x7fffba09d9f0 items=0 ppid=1 pid=6343 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(06/30/2021 13:52:15.468:343) : avc:  denied  { name_bind } for  pid=6343 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0 
----

Here are SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(06/30/2021 13:52:56.525:356) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf 
type=SOCKADDR msg=audit(06/30/2021 13:52:56.525:356) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } 
type=SYSCALL msg=audit(06/30/2021 13:52:56.525:356) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x5 a1=0x7fffde3a3090 a2=0x10 a3=0x7fffde3a30c0 items=0 ppid=1 pid=6516 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc:  denied  { net_bind_service } for  pid=6516 comm=hostapd capability=net_bind_service  scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=1 
type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc:  denied  { name_bind } for  pid=6516 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=1 
----

# rpm -qa hostapd\*
hostapd-2.9-5.el8.x86_64
#

Comment 2 Filip Pokryvka 2021-07-01 07:09:43 UTC

*** Bug 1976910 has been marked as a duplicate of this bug. ***

Comment 6 Zdenek Pytela 2021-07-28 15:46:20 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/812

Comment 7 Zdenek Pytela 2021-07-28 20:12:57 UTC

Commit to backport:

commit 636f4944a991a6d1de6b929b57049058cd6746c5 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jul 28 17:45:07 2021 +0200

    Allow hostapd bind UDP sockets to the dhcpd port

Comment 18 errata-xmlrpc 2021-11-09 19:43:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420