Red Hat Bugzilla – Bug 243509
SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket: (unconfined_t).
Last modified: 2008-08-02 19:40:34 EDT
Description of problem:
When connecting to a unencrypted wireless network with wlassistant, I get a
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Open wlassistant
2. Connect to unencrypted network
Selinux warning pops up
Nothing should happen
See attached file
Created attachment 156638 [details]
What is wlassistant? Is this something started in the user session that the
dhclient then communicates with?
Wlassistant is a tool to connection to wireless networks. It is available in the
Fedora 7 archive.
This looks like a leaked file descriptor. When wlassistant opens a
unix_stream_socket connection it is not setting the FD_CLOSEXEC flag on the file
descriptor. Then when it execs ifup, dhclient tries to look at the access
available on all file descriptors handed to it, and generates these AVC messages.
These messages can be safely ignored. But wlassistant should be fixed.
Dan, I'm looking at the wlassistant code, and the only place I can see it
opening a socket is a few calls like this:
iw_socket = iw_sockets_open();//get kernel socket
Would the appropriate fix be to add (beneath the iw_sockets_open call):
flags = fcntl(iw_socket, F_GETFD);
if (flags == -1)
flags |= FD_CLOEXEC;
if (fcntl(iw_socket, F_SETFD, flags) == -1)
If not, please point me to some sample code. Thanks.
Yes that looks correct.
wlassistant-0.5.7-3.fc7 should be pushing to testing very soon now. Could the
original reporter please update and see if the SELinux alerts go away?
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 testing repository. If problems still persist, please make note of it in this bug report.
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.