Bug 1784253 - hostapd_cli cannot attach to hostapd.
Summary: hostapd_cli cannot attach to hostapd.
Keywords:
Status: CLOSED DUPLICATE of bug 2032277
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: armv7hl
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-12-17 05:31 UTC by listsp-bz
Modified: 2022-01-18 08:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-12 14:05:08 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description listsp-bz 2019-12-17 05:31:04 UTC 
User-Agent:       Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build Identifier: 

hostapd_cli fails to attach to hostapd.  Selinux AVC denied messages are found in the log. 
The problem is observed both when hostapd_cli is run from a usercode in the ctrl_interface_group defined in hostapd.conf or from root.
If selinux is changed to permissive the connection works.


Reproducible: Always

Steps to Reproduce:
1.Install and configure hostapd.
2.Ensure /etc/hostapd/hostapd.conf includes the lines:
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
3.From a terminal with usercode in group wheel run hostapd_cli
  
Actual Results:  
[test1@pi31 ~]$ hostapd_cli
hostapd_cli v2.9
Copyright (c) 2004-2019, Jouni Malinen <j> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.


Selected interface 'wlan0'
Warning: Failed to attach to hostapd.

Interactive mode

> 'PING' command timed out.

Expected Results:  
[test1@pi31 ~]$ hostapd_cli
hostapd_cli v2.9
Copyright (c) 2004-2019, Jouni Malinen <j> and contributors

This software may be distributed under the terms of the BSD license.
See README for more details.


Selected interface 'wlan0'

Interactive mode

>

audit log shows three types of AVC messages:

type=AVC msg=audit(1575967994.090:235): avc:  denied  { dac_override } for  pid=982 comm="hostapd" capability=1  scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:system_r:hostapd_t:s0 tclass=capability permissive=0

type=AVC msg=audit(1575971326.248:522): avc:  denied  { write } for  pid=982 comm="hostapd" name="wpa_ctrl_2266-2" dev="mmcblk0p3" ino=20589 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0

type=AVC msg=audit(1575989024.475:145): avc:  denied  { sendto } for  pid=981 comm="hostapd" path="/tmp/wpa_ctrl_1092-1" scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

Using audit2allow suggested the following three policies:

module hapd1 1.0;
require {
        type hostapd_t;
        class capability dac_override;
}
#============= hostapd_t ==============
allow hostapd_t self:capability dac_override;


module hapd2 1.0;
require {
        type hostapd_t;
        type user_tmp_t;
        class sock_file write;
}
#============= hostapd_t ==============
allow hostapd_t user_tmp_t:sock_file write;

module hapd3 1.0;
require {
        type hostapd_t;
        type unconfined_t;
        class unix_dgram_socket sendto;
}
#============= hostapd_t ==============
allow hostapd_t unconfined_t:unix_dgram_socket sendto;

After installing these three policies hostapd_cli functioned successfully.

(With only the "write" and "sendto" installed and without the "dac_override" hostapd_cli worked if run from root or sudo but not from a regular usercode belonging to the ctrl_interface_group defined in hostapd.conf).
Comment 1 Göran Uddeborg 2019-12-23 22:34:53 UTC 
Checking an "strace" it seems hostapd_cli creates a socket which it binds to /tmp/wpa_ctrl_<pid>-1 and then connects to hostapd's socket /var/run/hostapd/<interface>.  The client can send a message to the server, but the server can not return the reply.

hostapd_cli:
2335848 socket(AF_LOCAL, SOCK_DGRAM, 0) = 3
2335848 getpid()                        = 2335848
2335848 bind(3, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, 110) = 0
2335848 connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/hostapd/wlo1"}, 110) = 0
2335848 fcntl(3, F_GETFL)               = 0x2 (flags O_RDWR)
2335848 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0
2335848 sendto(3, "ATTACH", 6, 0, NULL, 0) = 6
2335848 select(4, [3], NULL, NULL, {10, 0}) = 0 (Timeout)
2335848 write(1, "Warning: Failed to attach to hos"..., 38) = 38

hostapd:
2287864 select(16, [4 6 8 9 10 11 12 13 14 15], [], [], {6, 40357}) = 1 (in [13], left {0, 977347})
2287864 recvfrom(13, "ATTACH", 4095, 0, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, [26]) = 6
2287864 sendto(13, "OK\n", 3, 0, {sa_family=AF_LOCAL, sun_path="/tmp/wpa_ctrl_2335848-1"}, 26) = -1 EACCES (Permission denied)
Comment 2 Fedora Admin XMLRPC Client 2020-01-23 16:23:57 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 3 Ben Cotton 2020-11-03 17:24:21 UTC 
This message is a reminder that Fedora 31 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 31 on 2020-11-24.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '31'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 31 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 4 listsp-bz 2020-11-06 05:37:26 UTC 
I have verified the problem still exists in Fedora 33.
Comment 5 Ben Cotton 2021-11-04 17:22:26 UTC 
This message is a reminder that Fedora 33 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 33 on 2021-11-30.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '33'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 33 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 6 Göran Uddeborg 2021-11-22 14:38:22 UTC 
Hostapd_cli still doesn't work in F35. I was able to remove the dac_override allow rule from my local policy module; it appears to be allowed now. But the other two rules still need to be there for hostapd_cli to work.

selinux-policy-targeted-35.5-1.fc35.noarch
Comment 7 Nikola Knazekova 2022-01-12 14:05:08 UTC 

*** This bug has been marked as a duplicate of bug 2032277 ***
Note You need to log in before you can comment on or make changes to this bug.