Bug 243509 - SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket:[19896] (unconfined_t).
SELinux is preventing /sbin/dhclient (dhcpc_t) "read write" to socket:[198...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: wlassistant (Show other bugs)
7
All Linux
low Severity low
: ---
: ---
Assigned To: Tom "spot" Callaway
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-09 05:58 EDT by Martin Jürgens
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.5.7-3.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-01 23:41:38 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux log (2.10 KB, text/plain)
2007-06-09 05:58 EDT, Martin Jürgens
no flags Details

  None (edit)
Description Martin Jürgens 2007-06-09 05:58:57 EDT
Description of problem:
When connecting to a unencrypted wireless network with wlassistant, I get a
SELINUX altert.

Version-Release number of selected component (if applicable):


How reproducible:
Every time

Steps to Reproduce:
1. Open wlassistant
2. Connect to unencrypted network
3.
  
Actual results:
Selinux warning pops up

Expected results:
Nothing should happen

Additional info:
See attached file
Comment 1 Martin Jürgens 2007-06-09 05:58:58 EDT
Created attachment 156638 [details]
selinux log
Comment 4 Daniel Walsh 2007-07-10 09:57:36 EDT
What is wlassistant?  Is this something started in the user session that the
dhclient then communicates with?
Comment 5 Martin Jürgens 2007-07-13 10:21:46 EDT
Wlassistant is a tool to connection to wireless networks. It is available in the
Fedora 7 archive.
Comment 6 Daniel Walsh 2007-07-14 08:34:25 EDT
This looks like a leaked file descriptor.  When wlassistant opens a
unix_stream_socket connection it is not setting the FD_CLOSEXEC flag on the file
descriptor.  Then when it execs ifup, dhclient tries to look at the access
available on all file descriptors handed to it, and generates these AVC messages.  

These messages can be safely ignored.  But wlassistant should be fixed.
Comment 7 Tom "spot" Callaway 2007-07-22 18:52:10 EDT
Dan, I'm looking at the wlassistant code, and the only place I can see it
opening a socket is a few calls like this:

int iw_socket;
iw_socket = iw_sockets_open();//get kernel socket

Would the appropriate fix be to add (beneath the iw_sockets_open call):

int flags;
flags = fcntl(iw_socket, F_GETFD);
if (flags == -1)
   return 0;
flags |= FD_CLOEXEC;
if (fcntl(iw_socket, F_SETFD, flags) == -1)
   return 0;

If not, please point me to some sample code. Thanks.
Comment 8 Daniel Walsh 2007-07-23 10:07:49 EDT
Yes that looks correct.
Comment 9 Tom "spot" Callaway 2007-07-24 11:31:01 EDT
wlassistant-0.5.7-3.fc7 should be pushing to testing very soon now. Could the
original reporter please update and see if the SELinux alerts go away?
Comment 10 Fedora Update System 2007-07-25 01:10:09 EDT
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 testing repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2007-08-01 23:41:31 EDT
wlassistant-0.5.7-3.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.