Bug 1977676
Summary: | SELinux prevents the hostapd from binding to DHCP port | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Filip Pokryvka <fpokryvk> | |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | 8.5 | CC: | brdeoliv, lvrabec, mmalik, plautrba, ssekidde | |
Target Milestone: | beta | Keywords: | Triaged | |
Target Release: | 8.5 | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | selinux-policy-3.14.3-75.el8 | Doc Type: | No Doc Update | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1979968 (view as bug list) | Environment: | ||
Last Closed: | 2021-11-09 19:43:34 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1979968 |
Description
Filip Pokryvka
2021-06-30 09:14:50 UTC
There is only 1 SELinux denial in enforcing mode: ---- type=PROCTITLE msg=audit(06/30/2021 13:52:15.468:343) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf type=SOCKADDR msg=audit(06/30/2021 13:52:15.468:343) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } type=SYSCALL msg=audit(06/30/2021 13:52:15.468:343) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x5 a1=0x7fffba09d9c0 a2=0x10 a3=0x7fffba09d9f0 items=0 ppid=1 pid=6343 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(06/30/2021 13:52:15.468:343) : avc: denied { name_bind } for pid=6343 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=0 ---- Here are SELinux denials caught in permissive mode: ---- type=PROCTITLE msg=audit(06/30/2021 13:52:56.525:356) : proctitle=/usr/sbin/hostapd -ddd /etc/hostapd/wired.conf type=SOCKADDR msg=audit(06/30/2021 13:52:56.525:356) : saddr={ saddr_fam=inet laddr=0.0.0.0 lport=67 } type=SYSCALL msg=audit(06/30/2021 13:52:56.525:356) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x5 a1=0x7fffde3a3090 a2=0x10 a3=0x7fffde3a30c0 items=0 ppid=1 pid=6516 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc: denied { net_bind_service } for pid=6516 comm=hostapd capability=net_bind_service scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=1 type=AVC msg=audit(06/30/2021 13:52:56.525:356) : avc: denied { name_bind } for pid=6516 comm=hostapd src=67 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:dhcpd_port_t:s0 tclass=udp_socket permissive=1 ---- # rpm -qa hostapd\* hostapd-2.9-5.el8.x86_64 # *** Bug 1976910 has been marked as a duplicate of this bug. *** I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/812 Commit to backport: commit 636f4944a991a6d1de6b929b57049058cd6746c5 (HEAD -> rawhide, upstream/rawhide) Author: Zdenek Pytela <zpytela> Date: Wed Jul 28 17:45:07 2021 +0200 Allow hostapd bind UDP sockets to the dhcpd port Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:4420 |