Description of problem: Executed command 'hostapd_cli all_sta'. SELinux is preventing hostapd from 'sendto' accesses on the unix_dgram_socket /tmp/wpa_ctrl_439937-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hostapd should be allowed sendto access on the wpa_ctrl_439937-1 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd # semodule -X 300 -i my-hostapd.pp Additional Information: Source Context system_u:system_r:hostapd_t:s0 Target Context unconfined_u:unconfined_r:unconfined_t:s0- s0:c0.c1023 Target Objects /tmp/wpa_ctrl_439937-1 [ unix_dgram_socket ] Source hostapd Source Path hostapd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-35.5-1.fc35.noarch Local Policy RPM selinux-policy-targeted-35.5-1.fc35.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 5.15.6-200.fc35.x86_64 #1 SMP Wed Dec 1 13:41:10 UTC 2021 x86_64 x86_64 Alert Count 10 First Seen 2021-12-10 00:00:01 CET Last Seen 2021-12-14 11:06:40 CET Local ID 52759378-64c4-47c1-a980-df71d7e0b2ee Raw Audit Messages type=AVC msg=audit(1639476400.549:88046): avc: denied { sendto } for pid=1231 comm="hostapd" path="/tmp/wpa_ctrl_439937-1" scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 Hash: hostapd,hostapd_t,unconfined_t,unix_dgram_socket,sendto Version-Release number of selected component: selinux-policy-targeted-35.5-1.fc35.noarch Additional info: component: selinux-policy reporter: libreport-2.15.2 hashmarkername: setroubleshoot kernel: 5.15.6-200.fc35.x86_64 type: libreport
Following SELinux denial appeared in enforcing mode: ---- type=PROCTITLE msg=audit(01/12/2022 08:56:38.224:553) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B type=PATH msg=audit(01/12/2022 08:56:38.224:553) : item=0 name=/tmp/wpa_ctrl_7902-1 inode=87 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/12/2022 08:56:38.224:553) : cwd=/ type=SOCKADDR msg=audit(01/12/2022 08:56:38.224:553) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_7902-1 } type=SYSCALL msg=audit(01/12/2022 08:56:38.224:553) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0xd a1=0x229f260 a2=0x0 a3=0x0 items=1 ppid=1 pid=7753 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(01/12/2022 08:56:38.224:553) : avc: denied { write } for pid=7753 comm=hostapd name=wpa_ctrl_7902-1 dev="tmpfs" ino=87 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=0 ----
Following SELinux denials appeared in permissive mode: ---- type=PROCTITLE msg=audit(01/12/2022 08:59:50.604:563) : proctitle=/usr/sbin/hostapd /etc/hostapd/hostapd.conf -P /run/hostapd.pid -B type=PATH msg=audit(01/12/2022 08:59:50.604:563) : item=0 name=/tmp/wpa_ctrl_10619-1 inode=96 dev=00:24 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(01/12/2022 08:59:50.604:563) : cwd=/ type=SOCKADDR msg=audit(01/12/2022 08:59:50.604:563) : saddr={ saddr_fam=local path=/tmp/wpa_ctrl_10619-1 } type=SYSCALL msg=audit(01/12/2022 08:59:50.604:563) : arch=x86_64 syscall=sendto success=yes exit=0 a0=0xd a1=0x715260 a2=0x0 a3=0x0 items=1 ppid=1 pid=10470 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=hostapd exe=/usr/sbin/hostapd subj=system_u:system_r:hostapd_t:s0 key=(null) type=AVC msg=audit(01/12/2022 08:59:50.604:563) : avc: denied { sendto } for pid=10470 comm=hostapd path=/tmp/wpa_ctrl_10619-1 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(01/12/2022 08:59:50.604:563) : avc: denied { write } for pid=10470 comm=hostapd name=wpa_ctrl_10619-1 dev="tmpfs" ino=96 scontext=system_u:system_r:hostapd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=sock_file permissive=1 ----
*** Bug 2021107 has been marked as a duplicate of this bug. ***
*** Bug 1784253 has been marked as a duplicate of this bug. ***
I've submitted a Fedora PR to address the issue: https://github.com/fedora-selinux/selinux-policy/pull/1027
FEDORA-2022-20f36a8b0e has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-20f36a8b0e` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-20f36a8b0e See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-20f36a8b0e has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
On Fedora 38, this issue (and a second, similar one) is appearing in my environment: "SELinux is preventing hostapd from write access on the sock_file wpa_ctrl_1004-1." "SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1." RedHat publishes a guide for configuring IEEE 802.1X network access control using FreeRADIUS and hostapd: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_networking/assembly_setting-up-an-802-1x-network-authentication-service-for-lan-clients-using-hostapd-with-freeradius-backend_configuring-and-managing-networking Following this guide, I set up a systemd service that invokes hostapd_cli to drive nftables configuration based on authentication events. Testing by hand at the command prompt, the commands involved worked. But once they were being driven by the systemd service, they stopped working. I found notes in the syslog about SELinux blocking hostapd's access to certain resources. Applying the workaround contained therein was effective (but was needed twice to account for two different SELinux restrictions on hostapd), but as suggested by the same text, it seems like a bug that the out-of-box hostapd service can't deliver events to the CLI per RedHat's documented setup guide. [root@AuthServer ~]# sealert -l 70860418-d097-4652-b2ac-66a6ad1b7c73 SELinux is preventing hostapd from write access on the sock_file wpa_ctrl_1004-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hostapd should be allowed write access on the wpa_ctrl_1004-1 sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd # semodule -X 300 -i my-hostapd.pp Additional Information: Source Context system_u:system_r:hostapd_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects wpa_ctrl_1004-1 [ sock_file ] Source hostapd Source Path hostapd Port <Unknown> Host AuthServer.local Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-38.12-1.fc38.noarch Local Policy RPM selinux-policy-targeted-38.12-1.fc38.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name AuthServer.local Platform Linux AuthServer.local 6.2.15-300.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Thu May 11 17:37:39 UTC 2023 x86_64 Alert Count 221 First Seen 2023-05-22 14:56:22 UTC Last Seen 2023-05-22 16:59:33 UTC Local ID 70860418-d097-4652-b2ac-66a6ad1b7c73 Raw Audit Messages type=AVC msg=audit(1684774773.629:101): avc: denied { write } for pid=976 comm="hostapd" name="wpa_ctrl_1004-1" dev="tmpfs" ino=31 scontext=system_u:system_r:hostapd_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file permissive=0 Hash: hostapd,hostapd_t,tmp_t,sock_file,write ====================================================================== Next-time-around error from syslog: ====================================================================== failed to retrieve rpm info for path '/tmp/wpa_ctrl_1468-1': Started dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged. SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@2 comm="systemd" exe="/usr/lib/syste> SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1. For complete SELinux messages run: sealert -l 07855075-7215-4b35-a32a-52e19d35634f SELinux is preventing hostapd from sendto access on the unix_dgram_socket /tmp/wpa_ctrl_1468-1. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that hostapd should be allowed sendto access on the wpa_ctrl_1468-1 unix_dgram_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'hostapd' --raw | audit2allow -M my-hostapd # semodule -X 300 -i my-hostapd.pp