Bug 243509 - SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket:[19896] (unconfined_t).
Summary: SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket:[198...
Alias: None
Product: Fedora
Classification: Fedora
Component: wlassistant   
(Show other bugs)
Version: 7
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tom "spot" Callaway
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-06-09 09:58 UTC by Martin Jürgens
Modified: 2008-08-02 23:40 UTC (History)
1 user (show)

Fixed In Version: 0.5.7-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-02 03:41:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
selinux log (2.10 KB, text/plain)
2007-06-09 09:58 UTC, Martin Jürgens
no flags Details

Description Martin Jürgens 2007-06-09 09:58:57 UTC
Description of problem:
When connecting to a unencrypted wireless network with wlassistant, I get a
SELINUX altert.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Open wlassistant
2. Connect to unencrypted network
Actual results:
Selinux warning pops up

Expected results:
Nothing should happen

Additional info:
See attached file

Comment 1 Martin Jürgens 2007-06-09 09:58:58 UTC
Created attachment 156638 [details]
selinux log

Comment 4 Daniel Walsh 2007-07-10 13:57:36 UTC
What is wlassistant?  Is this something started in the user session that the
dhclient then communicates with?

Comment 5 Martin Jürgens 2007-07-13 14:21:46 UTC
Wlassistant is a tool to connection to wireless networks. It is available in the
Fedora 7 archive.

Comment 6 Daniel Walsh 2007-07-14 12:34:25 UTC
This looks like a leaked file descriptor.  When wlassistant opens a
unix_stream_socket connection it is not setting the FD_CLOSEXEC flag on the file
descriptor.  Then when it execs ifup, dhclient tries to look at the access
available on all file descriptors handed to it, and generates these AVC messages.  

These messages can be safely ignored.  But wlassistant should be fixed.

Comment 7 Tom "spot" Callaway 2007-07-22 22:52:10 UTC
Dan, I'm looking at the wlassistant code, and the only place I can see it
opening a socket is a few calls like this:

int iw_socket;
iw_socket = iw_sockets_open();//get kernel socket

Would the appropriate fix be to add (beneath the iw_sockets_open call):

int flags;
flags = fcntl(iw_socket, F_GETFD);
if (flags == -1)
   return 0;
flags |= FD_CLOEXEC;
if (fcntl(iw_socket, F_SETFD, flags) == -1)
   return 0;

If not, please point me to some sample code. Thanks.

Comment 8 Daniel Walsh 2007-07-23 14:07:49 UTC
Yes that looks correct.

Comment 9 Tom "spot" Callaway 2007-07-24 15:31:01 UTC
wlassistant-0.5.7-3.fc7 should be pushing to testing very soon now. Could the
original reporter please update and see if the SELinux alerts go away?

Comment 10 Fedora Update System 2007-07-25 05:10:09 UTC
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2007-08-02 03:41:31 UTC
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.