Bug 2064688
| Summary: | SELinux is preventing hostapd from 'sendto' accesses on the unix_dgram_socket /tmp/wpa_ctrl_439937-1. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | David Jaša <djasa> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | Marc Muehlfeld <mmuehlfe> |
| Priority: | medium | ||
| Version: | 9.0 | CC: | bz.list, dwalsh, extras-qa, goeran, grepl.miroslav, lvrabec, mmalik, nknazeko, omosnace, pkoncity, ssekidde, thomas, vmojzis, zpytela |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 9.1 | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | abrt_hash:cf3791fa6666e8f75bed00cfa1af5172163f1acaf3c9e30ed0a24410fb97308e; | ||
| Fixed In Version: | selinux-policy-34.1.30-2.el9 | Doc Type: | No Doc Update |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 2064284 | Environment: | |
| Last Closed: | 2022-11-15 11:13:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2032277, 2064284 | ||
| Bug Blocks: | |||
Following SELinux denial appeared in enforcing mode:
----
type=PROCTITLE msg=audit(03/16/2022 08:54:13.640:332) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B
type=PATH msg=audit(03/16/2022 08:54:13.640:332) : item=0 name=/tmp/wpa_ctrl_9342-1 inode=148542 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/16/2022 08:54:13.640:332) : cwd=/
type=SOCKADDR msg=audit(03/16/2022 08:54:13.640:332) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_9342-1 }
type=SYSCALL msg=audit(03/16/2022 08:54:13.640:332) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0xb a1=0x56535cd61a70 a2=0x0 a3=0x0 items=1 ppid=1 pid=9022 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(03/16/2022 08:54:13.640:332) : avc: denied { write } for pid=9022 comm=hostapd name=wpa_ctrl_9342-1 dev="vda1" ino=148542 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0
----
# rpm -qa selinux\* hostapd\* | sort
hostapd-2.10-1.el9.x86_64
selinux-policy-34.1.27-1.el9.noarch
selinux-policy-devel-34.1.27-1.el9.noarch
selinux-policy-targeted-34.1.27-1.el9.noarch
#
Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(03/16/2022 09:26:28.668:343) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B
type=PATH msg=audit(03/16/2022 09:26:28.668:343) : item=0 name=/tmp/wpa_ctrl_14559-1 inode=148542 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(03/16/2022 09:26:28.668:343) : cwd=/
type=SOCKADDR msg=audit(03/16/2022 09:26:28.668:343) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_14559-1 }
type=SYSCALL msg=audit(03/16/2022 09:26:28.668:343) : arch=x86_64 syscall=sendto success=yes exit=0 a0=0xb a1=0x557fa90baa70 a2=0x0 a3=0x0 items=1 ppid=1 pid=14238 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null)
type=AVC msg=audit(03/16/2022 09:26:28.668:343) : avc: denied { sendto } for pid=14238 comm=hostapd path=/tmp/wpa_ctrl_14559-1 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(03/16/2022 09:26:28.668:343) : avc: denied { write } for pid=14238 comm=hostapd name=wpa_ctrl_14559-1 dev="vda1" ino=148542 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1
----
*** Bug 2068533 has been marked as a duplicate of this bug. *** *** Bug 2068533 has been marked as a duplicate of this bug. *** Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:8283 |
Commits to backport: commit 840881f91be518f6cb9ca294ea0122be6aca6af4 Author: Zdenek Pytela <zpytela> Date: Wed Jan 26 11:31:58 2022 +0100 Allow hostapd talk with unconfined user over unix domain dgram socket commit f0cb46186be7437cd78c96271938b3902cec10b7 Author: Zdenek Pytela <zpytela> Date: Wed Jan 26 10:54:36 2022 +0100 Allow NetworkManager talk with unconfined user over unix domain dgram socket