Bug 251858
| Summary: | SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "chown" to <Unknown> (NetworkManager_t) | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Dean Mander <knolderpoor> | ||||||
| Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||||
| Status: | CLOSED WONTFIX | QA Contact: | Ben Levenson <benl> | ||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | low | ||||||||
| Version: | 7 | CC: | caillon, dcbw, radford, triage | ||||||
| Target Milestone: | --- | ||||||||
| Target Release: | --- | ||||||||
| Hardware: | i386 | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: | Story Points: | --- | |||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2008-06-17 02:09:01 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Attachments: |
|
||||||||
|
Description
Dean Mander
2007-08-12 19:57:27 UTC
Created attachment 161143 [details]
selinux error
Created attachment 161144 [details]
wpa_supplicant config file
YOu can add this rule using audit2allow grep NetworkManager /var/log/audit/audit.log | audit2allow -M mynetworkmanager semodule -i mynetworkmanager.pp I will add it to the next update selinux-policy-2.6.4-36 *** Bug 253567 has been marked as a duplicate of this bug. *** > I will add it to the next update
> selinux-policy-2.6.4-36
This is not fixed for me using: selinux-policy-2.6.4-38.fc7.
> > I will add it to the next update > > selinux-policy-2.6.4-36 > This is not fixed for me using: selinux-policy-2.6.4-38.fc7. avc: denied { chown } for comm="wpa_supplicant" egid=0 euid=0 exe="/usr/sbin/wpa_supplicant" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=18557 scontext=user_u:system_r:NetworkManager_t:s0 sgid=0 subj=user_u:system_r:NetworkManager_t:s0 suid=0 tclass=capability tcontext=user_u:system_r:NetworkManager_t:s0 tty=(none) uid=0 That is strange because that rule is in the 38 policy. If you grep chown /var/log/audit/audit.log | audit2why What does it say? (In reply to comment #7) > grep chown /var/log/audit/audit.log | audit2why > What does it say? My mistake. After upgrading I no longer get that message anymore. Still it doesn't work, and I get these: type=AVC msg=audit(1187642119.572:111): avc: denied { search } for pid=5293 comm="wpa_supplicant" name="tmp" dev=sda4 ino=22478849 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. type=AVC msg=audit(1187642247.376:131): avc: denied { sendto } for pid=5396 comm="wpa_supplicant" name="wpa_ctrl_5398-4" scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. I am finally able to use wpa_cli / wpa_supplicant after installing these rules on top of selinux-policy-2.6.4-38.fc7. allow NetworkManager_t tmp_t:dir search; allow NetworkManager_t tmp_t:sock_file write; allow NetworkManager_t unconfined_t:unix_dgram_socket sendto; (In reply to comment #8) > (In reply to comment #7) > > grep chown /var/log/audit/audit.log | audit2why > > > What does it say? > > My mistake. After upgrading I no longer get that message anymore. Still it > doesn't work, and I get these: and this: type=AVC msg=audit(1187641614.592:65): avc: denied { write } for pid=4849 comm="wpa_supplicant" name="wpa_ctrl_4851-20" dev=sda4 ino=22478976 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file Was caused by: Unknown - would be allowed by active policy Possible mismatch between this policy and the one under which the audit message was generated. Possible mismatch between current in-memory boolean settings vs. permanent ones. If you setenforce 0 does network manager work? If not then this is not an SELinux problem. Never mind the previus response. I am finally able to use wpa_cli / wpa_supplicant after installing these rules on top of selinux-policy-2.6.4-38.fc7. allow NetworkManager_t tmp_t:dir search; allow NetworkManager_t tmp_t:sock_file write; allow NetworkManager_t unconfined_t:unix_dgram_socket sendto; Who/what is creating this sock_file? I don't know how wpa_supplicant works, but if wpa_supplicant communicates with wpa_cli over a socket created in /tmp. then this is probably not a good idea. They should be doing this via /var/run/NetworkManager. (In reply to comment #13) > Who/what is creating this sock_file? I don't know how wpa_supplicant works, but > if wpa_supplicant communicates with wpa_cli over a socket created in /tmp. Yes, wpa_gui and wpa_cli talk to the wpa_supplicant daemon over a unix domain socket created in /tmp. > then this is probably not a good idea. For whom? Security wise? > They should be doing this via /var/run/NetworkManager. I'm not sure what you mean by "via" here. Do you mean the socket should be created in that directory? Or that wpa_supplicant should be using some service provided by NetworkManager? Yes security wise, Apps running as root or with privs communicating on /tmp, have been susceptible to mischief. This also prevents tools like pam_namespace from working. I just blogged on this http://danwalsh.livejournal.com/11467.html Yes if a daemon wants to communicate with userspace, they should open a socket in /var/run/DAEMON and have DAC permissions that would allow the user to rw the sock_file. I talked to Dan Williams on this and he told me Network Manager is moving towards using dbus, which is the best solution. (In reply to comment #15) > Yes security wise, Apps running as root or with privs communicating on /tmp, > have been susceptible to mischief. > > This also prevents tools like pam_namespace from working. I just blogged on > this http://danwalsh.livejournal.com/11467.html > > Yes if a daemon wants to communicate with userspace, they should open a socket > in /var/run/DAEMON and have DAC permissions that would allow the user to rw the > sock_file. The daemon creates sockets like the following: /var/run/wpa_supplicant/wlan0 then users in a group spelled out in the config file can run wpa_cli/wpa_gui which then bind to a socket /tmp/wpa_gui-$$-$n and connect to the one in /var/run. How *specifically* is this unsafe? I am not saying it is unsafe, I am saying that things like this in the past have been unsafe. Who is creating the socket? Does this would in a pam_namespace environment? Why are we using multiple methods to communicate with Network Manager applications? DBUS Communications is currently allowed. Now I need to allow unix domain communications between NetworkManager and any unconfined socket. This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists. Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs: http://docs.fedoraproject.org/release-notes/ The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. Fedora 7 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |