User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0 Build Identifier: hostapd_cli fails to attach to hostapd. Selinux AVC denied messages are found in the log. The problem is observed both when hostapd_cli is run from a usercode in the ctrl_interface_group defined in hostapd.conf or from root. If selinux is changed to permissive the connection works. Reproducible: Always Steps to Reproduce: 1.Install and configure hostapd. 2.Ensure /etc/hostapd/hostapd.conf includes the lines: ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel 3.From a terminal with usercode in group wheel run hostapd_cli Actual Results: [test1@pi31 ~]$ hostapd_cli hostapd_cli v2.9 Copyright (c) 2004-2019, Jouni Malinen <j> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Selected interface 'wlan0' Warning: Failed to attach to hostapd. Interactive mode > 'PING' command timed out. Expected Results: [test1@pi31 ~]$ hostapd_cli hostapd_cli v2.9 Copyright (c) 2004-2019, Jouni Malinen <j> and contributors This software may be distributed under the terms of the BSD license. See README for more details. Selected interface 'wlan0' Interactive mode > audit log shows three types of AVC messages: type=AVC msg=audit(1575967994.090:235): avc: denied { dac_override } for pid=982 comm="hostapd" capability=1 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(1575971326.248:522): avc: denied { write } for pid=982 comm="hostapd" name="wpa_ctrl_2266-2" dev="mmcblk0p3" ino=20589 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 type=AVC msg=audit(1575989024.475:145): avc: denied { sendto } for pid=981 comm="hostapd" path="/tmp/wpa_ctrl_1092-1" scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0 Using audit2allow suggested the following three policies: module hapd1 1.0; require { type hostapd_t; class capability dac_override; } #============= hostapd_t ============== allow hostapd_t self:capability dac_override; module hapd2 1.0; require { type hostapd_t; type user_tmp_t; class sock_file write; } #============= hostapd_t ============== allow hostapd_t user_tmp_t:sock_file write; module hapd3 1.0; require { type hostapd_t; type unconfined_t; class unix_dgram_socket sendto; } #============= hostapd_t ============== allow hostapd_t unconfined_t:unix_dgram_socket sendto; After installing these three policies hostapd_cli functioned successfully. (With only the "write" and "sendto" installed and without the "dac_override" hostapd_cli worked if run from root or sudo but not from a regular usercode belonging to the ctrl_interface_group defined in hostapd.conf).
Checking an "strace" it seems hostapd_cli creates a socket which it binds to /tmp/wpa_ctrl_<pid>-1 and then connects to hostapd's socket /var/run/hostapd/<interface>. The client can send a message to the server, but the server can not return the reply. hostapd_cli: 2335848 socket(AF_LOCAL, SOCK_DGRAM, 0) = 3 2335848 getpid() = 2335848 2335848 bind(3, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, 110) = 0 2335848 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/hostapd/wlo1"}, 110) = 0 2335848 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) 2335848 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 2335848 sendto(3, "ATTACH", 6, 0, NULL, 0) = 6 2335848 select(4, [3], NULL, NULL, {10, 0}) = 0 (Timeout) 2335848 write(1, "Warning: Failed to attach to hos"..., 38) = 38 hostapd: 2287864 select(16, [4 6 8 9 10 11 12 13 14 15], [], [], {6, 40357}) = 1 (in [13], left {0, 977347}) 2287864 recvfrom(13, "ATTACH", 4095, 0, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, [26]) = 6 2287864 sendto(13, "OK\n", 3, 0, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, 26) = -1 EACCES (Permission denied)
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
This message is a reminder that Fedora 31 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '31'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 31 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I have verified the problem still exists in Fedora 33.
This message is a reminder that Fedora 33 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '33'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 33 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Hostapd_cli still doesn't work in F35. I was able to remove the dac_override allow rule from my local policy module; it appears to be allowed now. But the other two rules still need to be there for hostapd_cli to work. selinux-policy-targeted-35.5-1.fc35.noarch
*** This bug has been marked as a duplicate of bug 2032277 ***