Bug 2032277

Summary: SELinux is preventing hostapd from 'sendto' accesses on the unix_dgram_socket /tmp/wpa_ctrl_439937-1.
Product: [Fedora] Fedora Reporter: Thomas Köller <thomas>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 35CC: bz.list, dwalsh, goeran, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, ppisar, tsobczynski, vmojzis, zpytela
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: abrt_hash:cf3791fa6666e8f75bed00cfa1af5172163f1acaf3c9e30ed0a24410fb97308e;
Fixed In Version: selinux-policy-35.13-1.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2064284 (view as bug list) Environment:
Last Closed: 2022-02-04 01:22:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2064284, 2064688    

Description Thomas Köller 2021-12-14 10:13:07 UTC 
Description of problem:
Executed command 'hostapd_cli all_sta'.
SELinux is preventing hostapd from 'sendto' accesses on the unix_dgram_socket /tmp/wpa_ctrl_439937-1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hostapd should be allowed sendto access on the wpa_ctrl_439937-1 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd
# semodule -X 300 -i my-hostapd.pp

Additional Information:
Source Context                system_u:system_r:hostapd_t:s0
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-
                              s0:c0.c1023
Target Objects                /tmp/wpa_ctrl_439937-1 [ unix_dgram_socket ]
Source                        hostapd
Source Path                   hostapd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.5-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.5-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 5.15.6-200.fc35.x86_64 #1 SMP Wed
                              Dec 1 13:41:10 UTC 2021 x86_64 x86_64
Alert Count                   10
First Seen                    2021-12-10 00:00:01 CET
Last Seen                     2021-12-14 11:06:40 CET
Local ID                      52759378-64c4-47c1-a980-df71d7e0b2ee

Raw Audit Messages
type=AVC msg=audit(1639476400.549:88046): avc:  denied  { sendto } for  pid=1231 comm="hostapd" path="/tmp/wpa_ctrl_439937-1" scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1


Hash: hostapd,hostapd_t,unconfined_t,unix_dgram_socket,sendto

Version-Release number of selected component:
selinux-policy-targeted-35.5-1.fc35.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.15.2
hashmarkername: setroubleshoot
kernel:         5.15.6-200.fc35.x86_64
type:           libreport
Comment 1 Milos Malik 2022-01-12 13:59:07 UTC 
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(01/12/2022 08:56:38.224:553) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B 
type=PATH msg=audit(01/12/2022 08:56:38.224:553) : item=0 name=/tmp/wpa_ctrl_7902-1 inode=87 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/12/2022 08:56:38.224:553) : cwd=/ 
type=SOCKADDR msg=audit(01/12/2022 08:56:38.224:553) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_7902-1 } 
type=SYSCALL msg=audit(01/12/2022 08:56:38.224:553) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0xd a1=0x229f260 a2=0x0 a3=0x0 items=1 ppid=1 pid=7753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(01/12/2022 08:56:38.224:553) : avc:  denied  { write } for  pid=7753 comm=hostapd name=wpa_ctrl_7902-1 dev="tmpfs" ino=87 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 
----
Comment 2 Milos Malik 2022-01-12 14:00:38 UTC 
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/12/2022 08:59:50.604:563) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B 
type=PATH msg=audit(01/12/2022 08:59:50.604:563) : item=0 name=/tmp/wpa_ctrl_10619-1 inode=96 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/12/2022 08:59:50.604:563) : cwd=/ 
type=SOCKADDR msg=audit(01/12/2022 08:59:50.604:563) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_10619-1 } 
type=SYSCALL msg=audit(01/12/2022 08:59:50.604:563) : arch=x86_64 syscall=sendto success=yes exit=0 a0=0xd a1=0x715260 a2=0x0 a3=0x0 items=1 ppid=1 pid=10470 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) 
type=AVC msg=audit(01/12/2022 08:59:50.604:563) : avc:  denied  { sendto } for  pid=10470 comm=hostapd path=/tmp/wpa_ctrl_10619-1 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 
type=AVC msg=audit(01/12/2022 08:59:50.604:563) : avc:  denied  { write } for  pid=10470 comm=hostapd name=wpa_ctrl_10619-1 dev="tmpfs" ino=96 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 
----
Comment 3 Nikola Knazekova 2022-01-12 14:04:15 UTC 
*** Bug 2021107 has been marked as a duplicate of this bug. ***
Comment 4 Nikola Knazekova 2022-01-12 14:05:08 UTC 
*** Bug 1784253 has been marked as a duplicate of this bug. ***
Comment 7 Zdenek Pytela 2022-01-26 10:45:42 UTC 
I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/1027
Comment 8 Fedora Update System 2022-02-02 12:11:01 UTC 
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e
Comment 9 Fedora Update System 2022-02-03 01:35:18 UTC 
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 10 Fedora Update System 2022-02-04 01:22:55 UTC 
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 11 Tom Sobczynski 2023-05-22 20:03:21 UTC 
On Fedora 38, this issue (and a second, similar one) is appearing in my environment:

"SELinux is preventing hostapd from write access on the sock_file wpa_ctrl_1004-1."
"SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1."



RedHat publishes a guide for configuring IEEE 802.1X network access control using FreeRADIUS and hostapd:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_setting-up-an-802-1x-network-authentication-service-for-lan-clients-using-hostapd-with-freeradius-backend_configuring-and-managing-networking

Following this guide, I set up a systemd service that invokes hostapd_cli to drive nftables configuration based on authentication events. Testing by hand at the command prompt, the commands involved worked. But once they were being driven by the systemd service, they stopped working. I found notes in the syslog about SELinux blocking hostapd's access to certain resources. Applying the workaround contained therein was effective (but was needed twice to account for two different SELinux restrictions on hostapd), but as suggested by the same text, it seems like a bug that the out-of-box hostapd service can't deliver events to the CLI per RedHat's documented setup guide.



[root@AuthServer ~]# sealert -l 70860418-d097-4652-b2ac-66a6ad1b7c73
SELinux is preventing hostapd from write access on the sock_file wpa_ctrl_1004-1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hostapd should be allowed write access on the wpa_ctrl_1004-1 sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd
# semodule -X 300 -i my-hostapd.pp


Additional Information:
Source Context                system_u:system_r:hostapd_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                wpa_ctrl_1004-1 [ sock_file ]
Source                        hostapd
Source Path                   hostapd
Port                          <Unknown>
Host                          AuthServer.local
Source RPM Packages
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-38.12-1.fc38.noarch
Local Policy RPM              selinux-policy-targeted-38.12-1.fc38.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     AuthServer.local
Platform                      Linux AuthServer.local 6.2.15-300.fc38.x86_64 #1
                              SMP PREEMPT_DYNAMIC Thu May 11 17:37:39 UTC 2023
                              x86_64
Alert Count                   221
First Seen                    2023-05-22 14:56:22 UTC
Last Seen                     2023-05-22 16:59:33 UTC
Local ID                      70860418-d097-4652-b2ac-66a6ad1b7c73

Raw Audit Messages
type=AVC msg=audit(1684774773.629:101): avc:  denied  { write } for  pid=976 comm="hostapd" name="wpa_ctrl_1004-1" dev="tmpfs" ino=31 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0


Hash: hostapd,hostapd_t,tmp_t,sock_file,write


======================================================================
Next-time-around error from syslog:
======================================================================

failed to retrieve rpm info for path '/tmp/wpa_ctrl_1468-1':
Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged.
SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@2 comm="systemd" exe="/usr/lib/syste>
SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1. For complete SELinux messages run: sealert -l 07855075-7215-4b35-a32a-52e19d35634f
SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that hostapd should be allowed sendto access on the wpa_ctrl_1468-1 unix_dgram_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd
# semodule -X 300 -i my-hostapd.pp