Bug 693149
| Summary: | wpa_cli fails to connect to running wpa_supplicant due to selinux | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Aleksey Nogin <aleksey> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.6 | CC: | dwalsh, mmalik |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-320.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-02-21 05:46:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Could you test it with the latest RHEL5 policy? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Summary:
SELinux is preventing the wpa_supplicant from using potentially mislabeled files
(wpa_ctrl_7782-0).
Detailed Description:
SELinux has denied wpa_supplicant access to potentially mislabeled file(s)
(wpa_ctrl_7782-0). This means that SELinux will not allow wpa_supplicant to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want wpa_supplicant to access this files, you need to relabel them using
restorecon -v 'wpa_ctrl_7782-0'. You might want to relabel the entire directory
using restorecon -R -v '<Неизвестно>'.
Additional Information:
Source Context user_u:system_r:NetworkManager_t
Target Context user_u:object_r:tmp_t
Target Objects wpa_ctrl_7782-0 [ sock_file ]
Source wpa_supplicant
Source Path /usr/sbin/wpa_supplicant
Port <Unknown>
Host hostname
Source RPM Packages wpa_supplicant-0.5.10-9.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-300.el5_6.1
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name hostname
Platform Linux hostname 2.6.18-238.9.1.el5 #1 SMP Tue
Apr 12 18:10:56 EDT 2011 i686 i686
Alert Count 1
First Seen Wed May 4 09:50:24 2011
Last Seen Wed May 4 09:50:24 2011
Local ID 7c617a99-fccf-4dc4-819f-795c9f449553
Line Numbers
Raw Audit Messages
host=hostname type=AVC msg=audit(1304527824.146:46314): avc: denied { write } for pid=25821 comm="wpa_supplicant" name="wpa_ctrl_7782-0" dev=dm-2 ino=76 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file
host=hostname type=SYSCALL msg=audit(1304527824.146:46314): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bffa5680 a2=99fa080 a3=bffa56bb items=0 ppid=1 pid=25821 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
This should be fixed in the latest release which is also available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Still there with the -316 policy:
Source Context user_u:system_r:NetworkManager_t
Target Context user_u:system_r:unconfined_t
Target Objects /tmp/wpa_ctrl_22848-0 [ unix_dgram_socket ]
Source wpa_supplicant
Source Path /usr/sbin/wpa_supplicant
Port <Unknown>
Host hp.nogin.org
Source RPM Packages wpa_supplicant-0.5.10-9.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name hostname
Platform Linux hostname 2.6.18-274.el5 #1 SMP Fri Jul
22 04:49:12 EDT 2011 i686 i686
Alert Count 1
First Seen Wed Nov 23 14:04:00 2011
Last Seen Wed Nov 23 14:04:00 2011
Local ID baf7eefc-2aff-4ebb-898a-b18671fe4d13
Line Numbers
Raw Audit Messages
host=hp.nogin.org type=AVC msg=audit(1322085840.219:581702): avc: denied { sendto } for pid=16173 comm="wpa_supplicant" path="/tmp/wpa_ctrl_22848-0" scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket
host=hp.nogin.org type=SYSCALL msg=audit(1322085840.219:581702): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bfbad0f0 a2=83ca260 a3=bfbad12b items=0 ppid=1 pid=16173 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=229 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
How did you start wpa? What does # ps -eZ | grep wpa (In reply to comment #5) > How did you start wpa? sudo /sbin/service wpa_supplicant restart (I have wpa_supplicant's init rc script enabled in and NetworkManager one disabled as this is on a desktop with a static IP and static connection). > # ps -eZ | grep wpa user_u:system_r:NetworkManager_t 16173 ? 00:00:07 wpa_supplicant Also, just tried on another machine where wpa_supplicant is running under NetworkManager and got the same audit messages trying to execute wpa_cli. Ok, I will backport a fix from RHEL6. Fixed in selinux-policy-2.4.6-320.el5 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html |
When wpa_supplicant is runnign, attempts to use wpa_cli fail (whether as root, or as aregular user): --------------------------------------------------- % wpa_cli scan Selected interface 'ra0' 'SCAN' command timed out. % sealert -l 8bfd6100-a375-4eec-9f50-1c85d0b9233f [...] SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_18934-0). [...] Source Context system_u:system_r:NetworkManager_t Target Context user_u:object_r:tmp_t Target Objects wpa_ctrl_18934-0 [ sock_file ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hp.nogin.org Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name hostname Platform Linux hostname 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 Alert Count 1 First Seen Sat Apr 2 21:39:21 2011 Last Seen Sat Apr 2 21:39:21 2011 Local ID 8bfd6100-a375-4eec-9f50-1c85d0b9233f Line Numbers Raw Audit Messages host=hostname type=AVC msg=audit(1301805561.772:370): avc: denied { write } for pid=2534 comm="wpa_supplicant" name="wpa_ctrl_18934-0" dev=dm-2 ino=119 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file host=hostname type=SYSCALL msg=audit(1301805561.772:370): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bf816830 a2=9efa4f0 a3=bf81686b items=0 ppid=1 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) ------------------------------------------------------ This is caused by wpa_cli creating a temporary socket file in /tmp to communicate with wpa_supplicant. This bug was reported against Fedora 9 in bug 424611 - apparently it was fixed in selinux-policy-3.3.1-115.fc9