Bug 1145640 - selinux is blocking hostapd.service
Summary: selinux is blocking hostapd.service
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-09-23 12:09 UTC by Alphonse Steiner
Modified: 2015-01-03 14:33 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-01-03 14:33:53 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
type enforcement file (1.86 KB, text/plain)
2014-09-26 18:43 UTC, Alphonse Steiner 		no flags Details
file contexts (170 bytes, text/plain)
2014-09-26 18:45 UTC, Alphonse Steiner 		no flags Details
View All

Description Alphonse Steiner 2014-09-23 12:09:28 UTC 
Description of problem:
hostapd can be started without any problem using a direct call:
 hostapd /etc/hostapd/hostapd.conf
but fails to start using the service call:
 systemctl start hostapd
 
SELinux reports some denials. The service can be started in permissive mode; in this case the denials are:

# grep hostapd /var/log/audit/audit.log |grep AVC
type=AVC msg=audit(1411469497.158:430): avc:  denied  { create } for  pid=1264 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469565.667:444): avc:  denied  { create } for  pid=1374 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469702.373:449): avc:  denied  { create } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469702.373:450): avc:  denied  { setopt } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469702.374:451): avc:  denied  { bind } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469702.374:452): avc:  denied  { getattr } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411469702.376:453): avc:  denied  { read } for  pid=1401 comm="hostapd" name="rfkill" dev="devtmpfs" ino=18272 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
type=AVC msg=audit(1411469702.376:453): avc:  denied  { open } for  pid=1401 comm="hostapd" path="/dev/rfkill" dev="devtmpfs" ino=18272 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
type=AVC msg=audit(1411469702.376:454): avc:  denied  { create } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket
type=AVC msg=audit(1411469702.377:455): avc:  denied  { setopt } for  pid=1401 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket
type=AVC msg=audit(1411469703.371:456): avc:  denied  { module_request } for  pid=1401 comm="hostapd" kmod="ccm(aes)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system
type=AVC msg=audit(1411471657.954:476): avc:  denied  { create } for  pid=1189 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411472536.249:406): avc:  denied  { create } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411472536.250:407): avc:  denied  { setopt } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411472536.250:408): avc:  denied  { bind } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411472536.250:409): avc:  denied  { getattr } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_socket
type=AVC msg=audit(1411472536.252:410): avc:  denied  { read } for  pid=1022 comm="hostapd" name="rfkill" dev="devtmpfs" ino=17498 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
type=AVC msg=audit(1411472536.252:410): avc:  denied  { open } for  pid=1022 comm="hostapd" path="/dev/rfkill" dev="devtmpfs" ino=17498 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file
type=AVC msg=audit(1411472536.252:411): avc:  denied  { create } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket
type=AVC msg=audit(1411472536.253:412): avc:  denied  { setopt } for  pid=1022 comm="hostapd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=packet_socket
type=AVC msg=audit(1411472537.285:413): avc:  denied  { module_request } for  pid=1022 comm="hostapd" kmod="ccm(aes)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

The service can be started by changing the label:
  chcon -t NetworkManager_exec_t /usr/sbin/hostapd

Regards.
Comment 1 Alphonse Steiner 2014-09-26 18:43:56 UTC 
Created attachment 941684 [details]
type enforcement file

Since I do not see any reason to make hostapd run in the NetworkManager domain, here is a policy module that works on my system.
Regards.
Comment 2 Alphonse Steiner 2014-09-26 18:45:11 UTC 
Created attachment 941685 [details]
file contexts

Here the corresponding file contexts.
Comment 3 Daniel Walsh 2015-01-03 14:33:53 UTC 
THanks for the policy


Added policy in selinux-policy-3.13.1-104.fc22
Note You need to log in before you can comment on or make changes to this bug.