Description of problem: I configured hostapd. It starts fine in a terminal (hostapd /etc/hostapd/hostapd.conf). However, it won't start with systemctl start hostapd. Version-Release number of selected component (if applicable): Fedora 23 Beta with all updates as of sep. 24th 2015 --- cat /etc/hostapd/hostapd.conf ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel interface=wlp0s29u1u7 driver=nl80211 ssid=mywlan wpa=2 wpa_passphrase=geheim1234 wpa_key_mgmt=WPA-PSK hw_mode=g channel=6 country_code=DE --- wlp0s29u1u7 = device for USB WLAN adaptor --- sealert -l 342463bf-a962-45ce-9f77-18e04fccb3fd SELinux is preventing hostapd from bind access on the netlink_generic_socket Unknown. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hostapd should be allowed bind access on the Unknown netlink_generic_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep hostapd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:hostapd_t:s0 Target Context system_u:system_r:hostapd_t:s0 Target Objects Unknown [ netlink_generic_socket ] Source hostapd Source Path hostapd Port <Unknown> Host fedora23 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-147.fc23.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name fedora23 Platform Linux fedora23 4.2.1-300.fc23.x86_64 #1 SMP Mon Sep 21 22:13:13 UTC 2015 x86_64 x86_64 Alert Count 1 First Seen 2015-09-24 14:09:14 CEST Last Seen 2015-09-24 14:09:14 CEST Local ID 342463bf-a962-45ce-9f77-18e04fccb3fd Raw Audit Messages type=AVC msg=audit(1443096554.422:712): avc: denied { bind } for pid=2553 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 Hash: hostapd,hostapd_t,hostapd_t,netlink_generic_socket,bind
This seems like expected hostapd behavior. I'm not sure why selinux would suddenly care...?
After having had hostapd disabled for a while, I also see this when I reenabled it. (There have probably been updates in between. I'm using the same policy as Michael.) Switching to Permissive mode, I see four AVC types, listed below. Could there have been something that went wrong in some selinux update? time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2131): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2131): arch=c000003e syscall=41 success=yes exit=5 a0=10 a1=80003 a2=10 a3=57 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2131): avc: denied { create } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2132): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2132): arch=c000003e syscall=54 success=yes exit=0 a0=5 a1=1 a2=7 a3=7ffc8d74d6c8 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2132): avc: denied { setopt } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2133): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2133): arch=c000003e syscall=49 success=yes exit=0 a0=5 a1=20b8010 a2=c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2133): avc: denied { bind } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1 ---- time->Mon Oct 12 20:05:31 2015 type=PROCTITLE msg=audit(1444673131.752:2134): proctitle=2F7573722F7362696E2F686F7374617064002F6574632F686F73746170642F686F73746170642E636F6E66002D50002F72756E2F686F73746170642E706964002D42 type=SYSCALL msg=audit(1444673131.752:2134): arch=c000003e syscall=51 success=yes exit=0 a0=5 a1=7ffc8d74d750 a2=7ffc8d74d74c a3=0 items=0 ppid=1 pid=22701 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hostapd" exe="/usr/sbin/hostapd" subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(1444673131.752:2134): avc: denied { getattr } for pid=22701 comm="hostapd" scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=netlink_generic_socket permissive=1
After moving back to enforcing mode again, I found that hostapd actually read and write the socket too (surprise!). Those calls were apparently "dontaudited", but the denials still prevented hostapd from working properly in an enforcing environment. But after having made a little module with this rule allow hostapd_t hostapd_t:netlink_generic_socket { create setopt bind getattr read write }; I'm again able to connect and use the net.
I have the same problem on Fedora 22.
Also seeing this problem on Fedora 22 after the latest kernel update. Problem manifests when using 4.2.3, but not 4.1.10 I've made no modifications to the SELinux policies in: selinux-policy-3.13.1-128.13.fc22.noarch selinux-policy-targeted-3.13.1-128.13.fc22.noarch
(In reply to Göran Uddeborg from comment #3) > After moving back to enforcing mode again, I found that hostapd actually > read and write the socket too (surprise!). Those calls were apparently > "dontaudited", but the denials still prevented hostapd from working properly > in an enforcing environment. > > But after having made a little module with this rule > > allow hostapd_t hostapd_t:netlink_generic_socket > { create setopt bind getattr read write }; > > I'm again able to connect and use the net. Same problem on F22, and I also fixed it with a similar *.te file.
*** Bug 1282179 has been marked as a duplicate of this bug. ***
*** Bug 1278569 has been marked as a duplicate of this bug. ***
Thank you for testing.
I am having similar problem with fedora 22 x86, kernel-4.2.6-200 I have added all those permissions to selinux using semodule -i which solved the problem. However, still now, # hostapd ./hostapd.conf still works, But, this fails, # systemctl start hostapd # journalctl -xe hostapd[6313]: Configuration file: /etc/hostapd/hostapd.conf hostapd[6313]: nl80211: 'nl80211' generic netlink not found hostapd[6313]: Failed to initialize driver 'nl80211' hostapd[6313]: wlp2s0: interface state UNINITIALIZED->DISABLED hostapd[6313]: wlp2s0: AP-DISABLED hostapd[6313]: hostapd_free_hapd_data: Interface wlp2s0 wasn't started systemd[1]: hostapd.service: control process exited, code=exited status=1 systemd[1]: Failed to start Hostapd IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator. That is weird. More documentation: http://tech.saoslab.com/post/2015/11/20/fedora-22-setting-up-hostapd-to-create-hotspot
*** Bug 1273570 has been marked as a duplicate of this bug. ***
https://github.com/fedora-selinux/selinux-policy/pull/72 commit 4f53dcad5aff19e8b8857ae46e6f9279d43ef50c Author: Vit Mojzis <vmojzis> Date: Wed Nov 25 18:21:03 2015 +0100 Allow hostapd to create netlink_generic_socket. New AVC after kernel update. #1266068
selinux-policy-3.13.1-157.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update selinux-policy' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-b4167d5fd0
selinux-policy-3.13.1-157.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.