Bug 2064284
| Summary: | SELinux is preventing hostapd from 'sendto' accesses on the unix_dgram_socket /tmp/wpa_ctrl_439937-1. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | David Jaša <djasa> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | |
| Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> | |
| Priority: | medium | |||
| Version: | 8.5 | CC: | bz.list, dcaratti, dwalsh, extras-qa, goeran, grepl.miroslav, lmiksik, lvrabec, mmalik, mmuehlfe, omosnace, pkoncity, ssekidde, thomas, vmojzis, zpytela | |
| Target Milestone: | rc | Keywords: | Triaged | |
| Target Release: | 8.6 | Flags: | pm-rhel:
mirror+
|
|
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | abrt_hash:cf3791fa6666e8f75bed00cfa1af5172163f1acaf3c9e30ed0a24410fb97308e; | |||
| Fixed In Version: | selinux-policy-3.14.3-95.el8 | Doc Type: | No Doc Update | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 2032277 | |||
| : | 2064688 2068007 (view as bug list) | Environment: | ||
| Last Closed: | 2022-05-10 15:16:23 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 2032277 | |||
| Bug Blocks: | 2064688, 2068007 | |||
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(03/16/2022 04:25:11.951:319) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B
type=PATH msg=audit(03/16/2022 04:25:11.951:319) : item=0 name=/tmp/wpa_ctrl_14365-1 inode=6849851 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/16/2022 04:25:11.951:319) : cwd=/
type=SOCKADDR msg=audit(03/16/2022 04:25:11.951:319) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_14365-1 }
type=SYSCALL msg=audit(03/16/2022 04:25:11.951:319) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0xd a1=0x55b976925e10 a2=0x0 a3=0x0 items=1 ppid=1 pid=13805 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(03/16/2022 04:25:11.951:319) : avc: denied { write } for pid=13805 comm=hostapd name=wpa_ctrl_14365-1 dev="vda1" ino=6849851 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
----
# rpm -qa selinux\* hostapd\* | sort
hostapd-2.10-1.el8.x86_64
selinux-policy-3.14.3-94.el8.noarch
selinux-policy-devel-3.14.3-94.el8.noarch
selinux-policy-targeted-3.14.3-94.el8.noarch
#
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(03/16/2022 04:31:03.406:331) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B
type=PATH msg=audit(03/16/2022 04:31:03.406:331) : item=0 name=/tmp/wpa_ctrl_23340-1 inode=7140085 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/16/2022 04:31:03.406:331) : cwd=/
type=SOCKADDR msg=audit(03/16/2022 04:31:03.406:331) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_23340-1 }
type=SYSCALL msg=audit(03/16/2022 04:31:03.406:331) : arch=x86_64 syscall=sendto success=yes exit=0 a0=0xd a1=0x55e90727bd10 a2=0x0 a3=0x0 items=1 ppid=1 pid=22786 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(03/16/2022 04:31:03.406:331) : avc: denied { sendto } for pid=22786 comm=hostapd path=/tmp/wpa_ctrl_23340-1 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(03/16/2022 04:31:03.406:331) : avc: denied { write } for pid=22786 comm=hostapd name=wpa_ctrl_23340-1 dev="vda1" ino=7140085 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
----
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:1995 |
Commits to backport: commit 840881f91be518f6cb9ca294ea0122be6aca6af4 Author: Zdenek Pytela <zpytela> Date: Wed Jan 26 11:31:58 2022 +0100 Allow hostapd talk with unconfined user over unix domain dgram socket commit f0cb46186be7437cd78c96271938b3902cec10b7 Author: Zdenek Pytela <zpytela> Date: Wed Jan 26 10:54:36 2022 +0100 Allow NetworkManager talk with unconfined user over unix domain dgram socket