Bug 753707

Summary: SELinux is preventing /usr/sbin/wpa_supplicant from open/read/getattr access on the file .kde/share/apps/networkmanagement/certificates/
Product: [Fedora] Fedora Reporter: Daniel Black <daniel.black>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dcbw, dominick.grift, dwalsh, jklimes, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-50.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-17 20:25:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Daniel Black 2011-11-14 09:00:03 UTC 
Description of problem:

Fails to connect to AP with the following selinux errors in the log:

Nov 14 15:50:10 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from read access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l 9da65e4e-6ebb-41b1-8016-d6b985d5c488
..
Nov 14 16:04:00 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from open access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l 19b78781-dcd4-4f35-9997-7abec57d93c7
..
Nov 14 16:09:44 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from getattr access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l ff41f4a1-a84c-4963-b169-dbc33b1443ee


Version-Release number of selected component (if applicable):
Name        : NetworkManager
Arch        : x86_64
Epoch       : 1
Version     : 0.8.5.92
Release     : 1.git20110927.fc14

Name        : selinux-policy-targeted
Arch        : noarch
Version     : 3.9.7
Release     : 46.fc14

How reproducible:

Always

Steps to Reproduce:
1. Open NetworkManager
2. Create Wireness WPA Enterprise PEAP connect
3. Add custom certificate
  
Actual results:

Disconnection and disassociation

Expected results:

Connection made.

Additional info:

SELinux Network manager module of the form:

module nm 1.0;

require {
        type NetworkManager_t;
        type home_cert_t;
        type cert_t;
        class file { read getattr open };
}

allow NetworkManager_t cert_t:file { read getattr open };
allow NetworkManager_t home_cert_t:file { read getattr open };

With the following added to /etc/selinux/targeted/contexts/files/file_contexts.homedirs
and /etc/selinux/targeted/contexts/files/file_contexts

/home/[^/]*/\.kde/share/apps/networkmanagement/certificates(/.*)? unconfined_u:object_r:home_cert_t:s0

policy/modules/system/userdomain.fc
HOME_DIR/[^/]*/\.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0)

Allowing cert_t should allow the user to specify an already installed cert.
Comment 1 Miroslav Grepl 2011-11-14 11:25:11 UTC 
Is this a default location?



# chcon -R -t home_cert_t /home/dan/.kde/share/apps/networkmanagement/certificates

should fix the issue. The module should not be needed. 

# sesearch -A -s NetworkManager_t -t home_cert_t -c file -p read
Found 1 semantic av rules:
   allow NetworkManager_t home_cert_t : file { ioctl read getattr lock open }
Comment 2 Daniel Black 2011-11-15 06:16:31 UTC 
> Is this a default location?
yes

When it has been imported from kcm_networkmanagement it was copied from where the certificate was (Desktop) to this default location.
Comment 3 Daniel Walsh 2011-11-15 14:38:56 UTC 
Fixed in Rawhide with 

14c739f003d9bb11e9b31e2826fb930d5a7d775a


Should be back ported to F15, F16, RHEL6.

Too late for F14.  Since it can be worked around.
Comment 4 Miroslav Grepl 2011-11-21 12:48:20 UTC 
It was fixed in selinux-policy-3.10.0-57.fc16
Comment 5 Daniel Black 2011-11-22 10:20:46 UTC 
thanks. Was going to move on from F14 very soon.
Comment 6 Fedora Update System 2011-12-14 13:40:08 UTC 
selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15
Comment 7 Fedora Update System 2011-12-14 23:30:05 UTC 
Package selinux-policy-3.9.16-50.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2012-01-17 20:25:40 UTC 
selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.