Bug 693149
Summary: | wpa_cli fails to connect to running wpa_supplicant due to selinux | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Aleksey Nogin <aleksey> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.6 | CC: | dwalsh, mmalik |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-2.4.6-320.el5 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-02-21 05:46:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Aleksey Nogin
2011-04-03 04:43:49 UTC
Could you test it with the latest RHEL5 policy? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Summary: SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_7782-0). Detailed Description: SELinux has denied wpa_supplicant access to potentially mislabeled file(s) (wpa_ctrl_7782-0). This means that SELinux will not allow wpa_supplicant to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want wpa_supplicant to access this files, you need to relabel them using restorecon -v 'wpa_ctrl_7782-0'. You might want to relabel the entire directory using restorecon -R -v '<Неизвестно>'. Additional Information: Source Context user_u:system_r:NetworkManager_t Target Context user_u:object_r:tmp_t Target Objects wpa_ctrl_7782-0 [ sock_file ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hostname Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-300.el5_6.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name hostname Platform Linux hostname 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:56 EDT 2011 i686 i686 Alert Count 1 First Seen Wed May 4 09:50:24 2011 Last Seen Wed May 4 09:50:24 2011 Local ID 7c617a99-fccf-4dc4-819f-795c9f449553 Line Numbers Raw Audit Messages host=hostname type=AVC msg=audit(1304527824.146:46314): avc: denied { write } for pid=25821 comm="wpa_supplicant" name="wpa_ctrl_7782-0" dev=dm-2 ino=76 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file host=hostname type=SYSCALL msg=audit(1304527824.146:46314): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bffa5680 a2=99fa080 a3=bffa56bb items=0 ppid=1 pid=25821 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null) This should be fixed in the latest release which is also available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Still there with the -316 policy: Source Context user_u:system_r:NetworkManager_t Target Context user_u:system_r:unconfined_t Target Objects /tmp/wpa_ctrl_22848-0 [ unix_dgram_socket ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hp.nogin.org Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hostname Platform Linux hostname 2.6.18-274.el5 #1 SMP Fri Jul 22 04:49:12 EDT 2011 i686 i686 Alert Count 1 First Seen Wed Nov 23 14:04:00 2011 Last Seen Wed Nov 23 14:04:00 2011 Local ID baf7eefc-2aff-4ebb-898a-b18671fe4d13 Line Numbers Raw Audit Messages host=hp.nogin.org type=AVC msg=audit(1322085840.219:581702): avc: denied { sendto } for pid=16173 comm="wpa_supplicant" path="/tmp/wpa_ctrl_22848-0" scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket host=hp.nogin.org type=SYSCALL msg=audit(1322085840.219:581702): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bfbad0f0 a2=83ca260 a3=bfbad12b items=0 ppid=1 pid=16173 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=229 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null) How did you start wpa? What does # ps -eZ | grep wpa (In reply to comment #5) > How did you start wpa? sudo /sbin/service wpa_supplicant restart (I have wpa_supplicant's init rc script enabled in and NetworkManager one disabled as this is on a desktop with a static IP and static connection). > # ps -eZ | grep wpa user_u:system_r:NetworkManager_t 16173 ? 00:00:07 wpa_supplicant Also, just tried on another machine where wpa_supplicant is running under NetworkManager and got the same audit messages trying to execute wpa_cli. Ok, I will backport a fix from RHEL6. Fixed in selinux-policy-2.4.6-320.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html |