Created attachment 1044796 [details] log file +++ This bug was initially created as a clone of Bug #1225245 +++ Description of problem: SELinux prevents hostapd from using the 'net_admin' capabilities. Running hostapd manually works perfectly fine. Errata for bug #1225245 correctly allows hostapd to obtain 'net_admin' capability, but not 'net_raw'. Version-Release: hostapd-2.4-2.fc22.x86_64 selinux-policy-3.13.1-128.2.fc22.noarch selinux-policy-targeted-3.13.1-128.2.fc22.noarch How reproducible: always Reproduction steps: 1) Installed hostapd 2) Modify /etc/hostapd/hostapd.conf to use an approrpiate wlan card 3) Start the service via systemd Actual results: Service enters 'failed' state, SELinux denies access to 'net_raw' capability for hostapd process. Audit reports: <audit-1400> avc: denied { net_raw } for pid=13891 comm="hostapd" capability=13 Expected results: Service start correctly, SELinux grants permissions to 'net_raw' capability. Additional info: [root@fedora22 ~]# journalctl -xe -l --since 21:43 | grep audit | audit2why cze 30 21:43:03 fedora22 audit[13891]: <audit-1400> avc: denied { net_raw } for pid=13891 comm="hostapd" capability=13 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=0 Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. [root@fedora22 ~]# journalctl -xe -l --since 21:43 | grep audit | audit2allow #============= hostapd_t ============== allow hostapd_t self:capability net_raw; A comment from previous bug report confirm that this was not fixed. --- Additional comment from on 2015-06-10 08:36:55 EDT --- Partially solved this problem, not at all. selinux-policy-3.13.1-128.1.fc22.noarch hostapd-2.4-2.fc22.i686
Created attachment 1044807 [details] hostapd-missing.te Missing hostapd type enforcements.
Created attachment 1044808 [details] hostapd-missing.pp Missing hostapd policy module
Unfortunately hostapd was unable to start after allowing the capability in SELinux policies. I've also found that it requires the 'fsetid' capability, as well as 'write create unlink setattr' permissions on the hostapd_var_run_t:sock_file kernel object class. ==> hostapd-missing.te <== module hostapd-missing 1.0; require { type hostapd_t; type hostapd_var_run_t; class capability { net_raw fsetid }; class sock_file { write create unlink setattr }; } #============= hostapd_t ============== allow hostapd_t hostapd_var_run_t:sock_file { write create unlink setattr }; allow hostapd_t self:capability net_raw; allow hostapd_t self:capability fsetid;
Hi Jakub, Could you run reproducer in permissive selinux mode? 1. # setenforce 0 2. run reproducer 3. Attach AVCs (/var/log/audit/audit.log) 4. # setenforce 1 I need to see related AVCs to fix this. Thank you!
I use hostapd too, but I use live system. How can I turning on logging, auditing on live system without rebooting?
I'm also hit by this, and since Jakub apparently hasn't had time to reply I thought I could fill in. I'm not quite sure though what you mean with "run reproducer". Do you simply want us to start hostapd? Or is it something more specific?
With root acces: systemctl start hostapd (In reply to Göran Uddeborg from comment #6) > I'm also hit by this, and since Jakub apparently hasn't had time to reply I > thought I could fill in. I'm not quite sure though what you mean with "run > reproducer". Do you simply want us to start hostapd? Or is it something > more specific?
Created attachment 1054798 [details] Avc:s from starting hostapd in permissive mode Right, then I'm with you! So I did setenforce 0 systemctl start hostapd setenforce 1 ausearch -se hostapd_t -m avc -ts 13:00 (I did the commands just after 13 o'clock.) Please find attached the output from the last command. If you want me to run something else or additional, let me know! This was done using these package versions: selinux-policy-targeted-3.13.1-128.6.fc22.noarch hostapd-2.4-2.fc22.x86_64
Perfect, This I need. I add fix soon.
commit a3d4a1d3bb9b9f1e6e144afd890befa42794ae08 Author: Lukas Vrabec <lvrabec> Date: Tue Jul 28 11:58:06 2015 +0200 Allow hostapd to manage sock file in /va/run/hostapd Add fsetid cap. for hostapd Add net_raw cap. for hostpad BZ(#1237343) Fixed all issues from comment 8.
I just discovered, when I turned the hostapd OFF I got one more AVC. But maybe it already is covered by your previous patch? type=PROCTITLE msg=audit(1438340495.887:55907): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1438340495.887:55907): arch=c000003e syscall=87 success=yes exit=0 a0=23d8010 a1=48e637 a2=43e059 a3=1d1 items=0 ppid=1 pid=10119 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1438340495.887:55907): avc: denied { unlink } for pid=10119 comm="hostapd" name="vap0" dev="tmpfs" ino=38488909 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:hostapd_var_run_t:s0 tclass=sock_file permissive=1
hostapd.service work, thanks! systemctl status hostapd ● hostapd.service - Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator Loaded: loaded (/usr/lib/systemd/system/hostapd.service; disabled; vendor preset: disabled) Active: active (running) since p 2015-07-31 14:09:51 CEST; 12min ago Process: 1840 ExecStart=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B (code=exited, status=0/SUCCESS) Main PID: 1844 (hostapd) CGroup: /system.slice/hostapd.service └─1844 /usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B rpm -qa selinux-policy\* | sort selinux-policy-3.13.1-128.9.fc22.noarch selinux-policy-targeted-3.13.1-128.9.fc22.noarch
selinux-policy-3.13.1-140.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/selinux-policy-3.13.1-140.fc23
selinux-policy-3.13.1-140.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.