Bug 243509

Summary: SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket:[19896] (unconfined_t).
Product: [Fedora] Fedora Reporter: Martin Jürgens <ma>
Component: wlassistantAssignee: Tom "spot" Callaway <tcallawa>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 7CC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 0.5.7-3.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-02 03:41:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux log none

Description Martin Jürgens 2007-06-09 09:58:57 UTC 
Description of problem:
When connecting to a unencrypted wireless network with wlassistant, I get a
SELINUX altert.

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Open wlassistant
2. Connect to unencrypted network
3.
  
Actual results:
Selinux warning pops up

Expected results:
Nothing should happen

Additional info:
See attached file
Comment 1 Martin Jürgens 2007-06-09 09:58:58 UTC 
Created attachment 156638 [details]
selinux log
Comment 4 Daniel Walsh 2007-07-10 13:57:36 UTC 
What is wlassistant?  Is this something started in the user session that the
dhclient then communicates with?
Comment 5 Martin Jürgens 2007-07-13 14:21:46 UTC 
Wlassistant is a tool to connection to wireless networks. It is available in the
Fedora 7 archive.
Comment 6 Daniel Walsh 2007-07-14 12:34:25 UTC 
This looks like a leaked file descriptor.  When wlassistant opens a
unix_stream_socket connection it is not setting the FD_CLOSEXEC flag on the file
descriptor.  Then when it execs ifup, dhclient tries to look at the access
available on all file descriptors handed to it, and generates these AVC messages.  

These messages can be safely ignored.  But wlassistant should be fixed.
Comment 7 Tom "spot" Callaway 2007-07-22 22:52:10 UTC 
Dan, I'm looking at the wlassistant code, and the only place I can see it
opening a socket is a few calls like this:

int iw_socket;
iw_socket = iw_sockets_open();//get kernel socket

Would the appropriate fix be to add (beneath the iw_sockets_open call):

int flags;
flags = fcntl(iw_socket, F_GETFD);
if (flags == -1)
   return 0;
flags |= FD_CLOEXEC;
if (fcntl(iw_socket, F_SETFD, flags) == -1)
   return 0;

If not, please point me to some sample code. Thanks.
Comment 8 Daniel Walsh 2007-07-23 14:07:49 UTC 
Yes that looks correct.
Comment 9 Tom "spot" Callaway 2007-07-24 15:31:01 UTC 
wlassistant-0.5.7-3.fc7 should be pushing to testing very soon now. Could the
original reporter please update and see if the SELinux alerts go away?
Comment 10 Fedora Update System 2007-07-25 05:10:09 UTC 
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2007-08-02 03:41:31 UTC 
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.