Bug 443262

Summary: SELinux denied access requested by kismet_server.
Product: [Fedora] Fedora Reporter: Need Real Name <kodis>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 8CC: jkubin, rh-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-02 19:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
/var/log/audit/audit.log none

Description Need Real Name 2008-04-19 20:58:36 UTC 
Description of problem:
Kismet triggers an selinux access violation.

Version-Release number of selected component (if applicable):
Kismet 2007.10.R1

How reproducible:
Always.

Steps to Reproduce:
1. Enable selinux.
2. Run kismet.
3. Be disappointed.
  
Actual results:
Source 0 (rtl): Opening rt8180 source interface wlan0...
FATAL: socket: Permission denied
Done.

Expected results:
Cool network display.

Additional info:
Disabling selinux provides an unsatisfying workaround.
Comment 1 Enrico Scholz 2008-04-19 21:32:27 UTC 
reassigning from 'kismet' to 'selinux-policy'...
Comment 2 Daniel Walsh 2008-04-20 11:06:11 UTC 
Are there any avc messages in /var/log/audit/audit.log?
Comment 3 Need Real Name 2008-04-20 13:18:26 UTC 
No audit.log, but messages has:
setroubleshoot: SELinux is preventing kismet_server (kismet_t) "create" to
<Unknown> (kismet_t). For complete SELinux messages. run sealert -l
e85c155b-d5d3-4423-9d44-dc30ddddfa83

The sealert output reports:
# sealert -l e85c155b-d5d3-4423-9d44-dc30ddddfa83

Summary:

SELinux is preventing kismet_server (kismet_t) "create" to <Unknown> (kismet_t).

Detailed Description:

SELinux denied access requested by kismet_server. It is not expected that this
access is required by kismet_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:kismet_t:s0
Target Context                system_u:system_r:kismet_t:s0
Target Objects                None [ packet_socket ]
Source                        kismet_server
Source Path                   /usr/bin/kismet_server
Port                          <Unknown>
Host                          papa.home
Source RPM Packages           kismet-0.0.2007.10.R1-0.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-95.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     papa.home
Platform                      Linux papa.home 2.6.24.4-64.fc8 #1 SMP Sat Mar 29
                              09:15:49 EDT 2008 x86_64 x86_64
Alert Count                   5
First Seen                    Sat Apr 19 16:51:39 2008
Last Seen                     Sun Apr 20 09:15:06 2008
Local ID                      e85c155b-d5d3-4423-9d44-dc30ddddfa83
Line Numbers                  

Raw Audit Messages            

host=papa.home type=AVC msg=audit(1208697306.99:1292): avc:  denied  { create }
for  pid=24263 comm="kismet_server" scontext=system_u:system_r:kismet_t:s0
tcontext=system_u:system_r:kismet_t:s0 tclass=packet_socket

host=papa.home type=SYSCALL msg=audit(1208697306.99:1292): arch=c000003e
syscall=41 success=no exit=-13 a0=11 a1=3 a2=300 a3=3df95529f0 items=0
ppid=24262 pid=24263 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts0 comm="kismet_server" exe="/usr/bin/kismet_server"
subj=system_u:system_r:kismet_t:s0 key=(null)
Comment 4 Need Real Name 2008-04-20 13:40:45 UTC 
But wait, there's more!  If I set enforcing to 0, kismet starts up, but there
are many more selinux messages in the log:

Apr 20 09:36:38 papa dbus: avc:  received setenforce notice (enforcing=0)
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "ioctl" to socket (kismet_t). For complete SELinux messages. run
sealert -l ff8de3d9-1268-47eb-b6e8-13dc2dc56c5f
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "create" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l e85c155b-d5d3-4423-9d44-dc30ddddfa83
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "bind" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 4f644161-601f-41ff-9678-d0587a3607ba
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "create" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 2a70fae6-4e5b-4237-93d2-2e5f8c17c098
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "setopt" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 27f9b21a-bcd2-4b97-9d0b-58467f811b28
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "getopt" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 8fd16776-2e9b-4646-87e9-9b6c46d64790
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "write" to system_bus_socket (system_dbusd_var_run_t). For complete
SELinux messages. run sealert -l c4b9bb16-56a4-4974-968a-eeb4e3b8e50c
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing the kismet_server
(kismet_t) from binding to port 2501. For complete SELinux messages. run sealert
-l f57f4891-3bac-4d1b-9e7d-9b8e7b9cc267
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "listen" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 6dedd413-9cd4-4f59-8be3-69df233575ab
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "read" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l c58dfadd-0584-4109-8834-5f555ad612b6
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "write" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l cb57f0df-ef44-44e8-87b1-857411c0c03c
Apr 20 09:36:43 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "read" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l fc616aba-b641-464d-91cf-86db38f0efbb
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client
from using potentially mislabeled files (./group_map). For complete SELinux
messages. run sealert -l 138ac0b4-7ecb-4067-928e-28a8f525d898
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client
(kismet_t) "read" to ./info (proc_t). For complete SELinux messages. run sealert
-l c2625b1d-32b2-4b1f-969f-cc34c02d65d2
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client
from using potentially mislabeled files (/root/group_map). For complete SELinux
messages. run sealert -l eaad1860-bdc3-4a66-8b79-b352cf9edce6
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing the kismet_client
(kismet_t) from connecting to port 2501. For complete SELinux messages. run
sealert -l 55af7385-2997-4ec7-999a-70226628e971
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client
(kismet_t) "node_bind" to <Unknown> (inaddr_any_node_t). For complete SELinux
messages. run sealert -l 16f6ba86-5a12-46fa-9943-f23f9d5bc3d6
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_server
(kismet_t) "accept" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 87c1623d-aae6-4aa7-9866-d02c36ccf2c8
Apr 20 09:36:47 papa setroubleshoot: SELinux is preventing kismet_client
(kismet_t) "read" to xterm (usr_t). For complete SELinux messages. run sealert
-l 7beeb23f-e2fe-48ae-bb72-e327e7b9841d
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"read" to ./traffic.wav (usr_t). For complete SELinux messages. run sealert -l
145b033d-e2eb-42ac-8051-10f76d1c3110
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"getattr" to /usr/share/kismet/wav/traffic.wav (usr_t). For complete SELinux
messages. run sealert -l d8f223c1-62ba-4473-a189-7a6fa96df0cb
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing the play from using
potentially mislabeled files (/root/.pulse-cookie). For complete SELinux
messages. run sealert -l 0fea8eee-a5d9-4edb-a9b5-f057cfcd0397
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing the play from using
potentially mislabeled files (./.pulse-cookie). For complete SELinux messages.
run sealert -l bae0056b-fd09-4664-a8e5-d9d6616121e3
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"read" to / (tmpfs_t). For complete SELinux messages. run sealert -l
6745348d-fe59-4430-bd09-043f51e1e410
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"write" to / (tmpfs_t). For complete SELinux messages. run sealert -l
a020d729-0eb3-4b48-97f7-22a323a54e5a
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"kill" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l
70e3d894-d10b-4ac8-b2c2-7193867733ad
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"getattr" to / (tmpfs_t). For complete SELinux messages. run sealert -l
a02dbbc0-5b70-4e13-983e-e9ebd529df08
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"dac_override" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l c216c108-c8ac-457c-906b-ce0e1e8b8c77
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"getattr" to /dev/shm/pulse-shm-3394103506 (unconfined_tmpfs_t). For complete
SELinux messages. run sealert -l 8f205aa4-8b96-4744-8522-e665f99de743
Apr 20 09:36:50 papa setroubleshoot: SELinux is preventing play (kismet_t)
"remove_name" to ./pulse-shm-771863178 (tmpfs_t). For complete SELinux messages.
run sealert -l 14811fce-38ff-4970-8883-85d3f7cca477
Apr 20 09:36:56 papa setroubleshoot: SELinux is preventing kismet_client
(kismet_t) "sigkill" to <Unknown> (kismet_t). For complete SELinux messages. run
sealert -l 9250cbe3-0828-4b86-ac9e-6a5069505cd7
Apr 20 09:36:56 papa setroubleshoot: SELinux is preventing kismet (kismet_t)
"signal" to <Unknown> (kismet_t). For complete SELinux messages. run sealert -l
52c45f8a-3bde-46de-8e6e-834008a35044
Apr 20 09:37:24 papa dbus: avc:  received setenforce notice (enforcing=1)
Comment 5 Daniel Walsh 2008-04-21 17:24:40 UTC 
Please attach the /var/log/audit/audit.log
Comment 6 Need Real Name 2008-04-29 22:42:32 UTC 
Created attachment 304163 [details]
/var/log/audit/audit.log
Comment 7 Need Real Name 2008-04-29 22:45:23 UTC 
I've recently upgraded to Fedora 9 Preview, and am seeing the same SElinux
denials when running kismet.  Attached is the audit.log file that results from
truncating the log, setting selinux enforcing to 0, and running kismet as root.
Comment 8 Daniel Walsh 2008-05-02 19:39:35 UTC 
This looks like kismet is running in an xterm?  Also looks like kismet is
playing pulseaudio?

I think something is wrong.
Comment 9 Daniel Walsh 2008-05-02 19:54:57 UTC 
Fixed in selinux-policy-3.0.8-102.fc8

I changed context to only effect kismet_server and added appropriate audit messages.

Fixed in selinux-policy-3.3.1-44.fc9