Bug 1977676

Summary: SELinux prevents the hostapd from binding to DHCP port
Product: Red Hat Enterprise Linux 8 Reporter: Filip Pokryvka <fpokryvk>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.5CC: brdeoliv, lvrabec, mmalik, plautrba, ssekidde
Target Milestone: betaKeywords: Triaged
Target Release: 8.5   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.14.3-75.el8 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1979968 (view as bug list) Environment:
Last Closed: 2021-11-09 19:43:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1979968    

Description Filip Pokryvka 2021-06-30 09:14:50 UTC 
Description of problem:
NetworkManager-ci configures hostapd and the tests started to fail since RHEL8.5 (tests worked before).

Denied audit messages:
type=AVC msg=audit(1625040334.828:154): avc:  denied  { name_bind } for  pid=3772 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1625040402.016:190): avc:  denied  { name_bind } for  pid=4370 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0
type=AVC msg=audit(1625040575.909:204): avc:  denied  { name_bind } for  pid=4652 comm="hostapd" src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=1
type=AVC msg=audit(1625040575.909:204): avc:  denied  { net_bind_service } for  pid=4652 comm="hostapd" capability=10  scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=1


Version-Release number of selected component (if applicable):
selinux-policy-3.14.3-67.el8.noarch

How reproducible:
always

Steps to Reproduce:
1. clone NetworkManager-ci repo from https://gitlab.freedesktop.org/NetworkManager/NetworkManager-ci/
2. checkout this commit: b7b0f9f1c3ba42f15fd7c6f31cb504ec0dd5347e
3. bash prepare/hostapd_wired.sh tmp/8021x/certs/

Actual results:
hostapd fails to start (selinux)

Expected results:
hostapd should start

Additional info:
step 2 is required because we compiled custom selinux module as workaround.
Comment 1 Milos Malik 2021-06-30 17:55:12 UTC 
There is only 1 SELinux denial in enforcing mode:
----
type=PROCTITLE msg=audit(06/30/2021 13:52:15.468:343) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf 
type=SOCKADDR msg=audit(06/30/2021 13:52:15.468:343) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } 
type=SYSCALL msg=audit(06/30/2021 13:52:15.468:343) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7fffba09d9c0 a2=0x10 a3=0x7fffba09d9f0 items=0 ppid=1 pid=6343 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(06/30/2021 13:52:15.468:343) : avc:  denied  { name_bind } for  pid=6343 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0 
----

Here are SELinux denials caught in permissive mode:
----
type=PROCTITLE msg=audit(06/30/2021 13:52:56.525:356) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf 
type=SOCKADDR msg=audit(06/30/2021 13:52:56.525:356) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } 
type=SYSCALL msg=audit(06/30/2021 13:52:56.525:356) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x5 a1=0x7fffde3a3090 a2=0x10 a3=0x7fffde3a30c0 items=0 ppid=1 pid=6516 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc:  denied  { net_bind_service } for  pid=6516 comm=hostapd capability=net_bind_service  scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=1 
type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc:  denied  { name_bind } for  pid=6516 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=1 
----

# rpm -qa hostapd\*
hostapd-2.9-5.el8.x86_64
#
Comment 2 Filip Pokryvka 2021-07-01 07:09:43 UTC 
*** Bug 1976910 has been marked as a duplicate of this bug. ***
Comment 6 Zdenek Pytela 2021-07-28 15:46:20 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/812
Comment 7 Zdenek Pytela 2021-07-28 20:12:57 UTC 
Commit to backport:

commit 636f4944a991a6d1de6b929b57049058cd6746c5 (HEAD -> rawhide, upstream/rawhide)
Author: Zdenek Pytela <zpytela>
Date:   Wed Jul 28 17:45:07 2021 +0200

    Allow hostapd bind UDP sockets to the dhcpd port
Comment 18 errata-xmlrpc 2021-11-09 19:43:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4420