Bug 251858 - SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "chown" to <Unknown> (NetworkManager_t)
SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "chown" to ...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
7
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
: 253567 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-12 15:57 EDT by Dean Mander
Modified: 2008-06-16 22:09 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-16 22:09:01 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux error (2.09 KB, text/plain)
2007-08-12 15:58 EDT, Dean Mander
no flags Details
wpa_supplicant config file (155 bytes, application/octet-stream)
2007-08-12 15:59 EDT, Dean Mander
no flags Details

  None (edit)
Description Dean Mander 2007-08-12 15:57:27 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.5) Gecko/20070718 Fedora/2.0.0.5-1.fc7 Firefox/2.0.0.5

Description of problem:
at initlevel 3, wpa_supplicant crashes with segmentation fault due to above error.

It can be started manually by running service wpa_supplicant start without problem (but at initlevel5 )

sealert description added as attachment.

Version-Release number of selected component (if applicable):
selinux-policy-targeted  noarch     2.6.4-30.fc7
wpa_supplicant          i386       1:0.5.7-3.fc7
(NetworkManager          i386       1:0.6.5-7.fc7)

How reproducible:
Always


Steps to Reproduce:
1. start wpa_supplicant at runlevel 3
2.
3.

Actual Results:


Expected Results:


Additional info:
Comment 1 Dean Mander 2007-08-12 15:58:38 EDT
Created attachment 161143 [details]
selinux error
Comment 2 Dean Mander 2007-08-12 15:59:23 EDT
Created attachment 161144 [details]
wpa_supplicant config file
Comment 3 Daniel Walsh 2007-08-13 07:01:47 EDT
YOu can add this rule using audit2allow

grep NetworkManager /var/log/audit/audit.log | audit2allow -M mynetworkmanager
semodule -i mynetworkmanager.pp

I will add it to the next update
selinux-policy-2.6.4-36
Comment 4 Jim Radford 2007-08-20 13:10:13 EDT
*** Bug 253567 has been marked as a duplicate of this bug. ***
Comment 5 Jim Radford 2007-08-20 13:11:07 EDT
> I will add it to the next update
> selinux-policy-2.6.4-36

This is not fixed for me using: selinux-policy-2.6.4-38.fc7.
Comment 6 Jim Radford 2007-08-20 13:12:39 EDT
> > I will add it to the next update
> > selinux-policy-2.6.4-36

> This is not fixed for me using: selinux-policy-2.6.4-38.fc7.

  avc: denied { chown } for comm="wpa_supplicant" egid=0 euid=0
exe="/usr/sbin/wpa_supplicant" exit=-1 fsgid=0 fsuid=0 gid=0 items=0 pid=18557
scontext=user_u:system_r:NetworkManager_t:s0 sgid=0
subj=user_u:system_r:NetworkManager_t:s0 suid=0 tclass=capability
tcontext=user_u:system_r:NetworkManager_t:s0 tty=(none) uid=0 
Comment 7 Daniel Walsh 2007-08-20 14:51:59 EDT
That is strange because that rule is in the 38 policy.

If you 

grep chown /var/log/audit/audit.log | audit2why

What does it say?

Comment 8 Jim Radford 2007-08-20 16:41:37 EDT
(In reply to comment #7)
> grep chown /var/log/audit/audit.log | audit2why

> What does it say?

My mistake.  After upgrading I no longer get that message anymore.  Still it
doesn't work, and I get these:


type=AVC msg=audit(1187642119.572:111): avc:  denied  { search } for  pid=5293
comm="wpa_supplicant" name="tmp" dev=sda4 ino=22478849
scontext=user_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:tmp_t:s0
tclass=dir
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.

type=AVC msg=audit(1187642247.376:131): avc:  denied  { sendto } for  pid=5396
comm="wpa_supplicant" name="wpa_ctrl_5398-4"
scontext=user_u:system_r:NetworkManager_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.


Comment 9 Jim Radford 2007-08-20 16:44:34 EDT
I am finally able to use wpa_cli / wpa_supplicant after installing these rules
on top of selinux-policy-2.6.4-38.fc7.

  allow NetworkManager_t tmp_t:dir search;
  allow NetworkManager_t tmp_t:sock_file write;
  allow NetworkManager_t unconfined_t:unix_dgram_socket sendto;
Comment 10 Jim Radford 2007-08-20 16:46:24 EDT
(In reply to comment #8)
> (In reply to comment #7)
> > grep chown /var/log/audit/audit.log | audit2why
> 
> > What does it say?
> 
> My mistake.  After upgrading I no longer get that message anymore.  Still it
> doesn't work, and I get these:

and this:

type=AVC msg=audit(1187641614.592:65): avc:  denied  { write } for  pid=4849
comm="wpa_supplicant" name="wpa_ctrl_4851-20" dev=sda4 ino=22478976
scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0
tclass=sock_file
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which
the audit message was generated.
                Possible mismatch between current in-memory boolean settings vs.
permanent ones.
Comment 11 Daniel Walsh 2007-08-20 17:16:07 EDT
If you setenforce 0 does network manager work?  If not then this is not an
SELinux problem.
Comment 12 Daniel Walsh 2007-08-20 17:17:46 EDT
Never mind the previus response.
Comment 13 Daniel Walsh 2007-08-20 17:21:51 EDT
I am finally able to use wpa_cli / wpa_supplicant after installing these rules
on top of selinux-policy-2.6.4-38.fc7.

  allow NetworkManager_t tmp_t:dir search;
  allow NetworkManager_t tmp_t:sock_file write;
  allow NetworkManager_t unconfined_t:unix_dgram_socket sendto;

Who/what is creating this sock_file? I don't know how wpa_supplicant works, but
if wpa_supplicant communicates with wpa_cli over a socket created in /tmp.  then
this is probably not a good idea.  They should be doing this via
/var/run/NetworkManager.
Comment 14 Jim Radford 2007-08-21 11:13:50 EDT
(In reply to comment #13)
> Who/what is creating this sock_file? I don't know how wpa_supplicant works, but
> if wpa_supplicant communicates with wpa_cli over a socket created in /tmp.

Yes, wpa_gui and wpa_cli talk to the wpa_supplicant daemon over a unix domain
socket created in /tmp.

> then this is probably not a good idea.

For whom?   Security wise?

> They should be doing this via /var/run/NetworkManager.

I'm not sure what you mean by "via" here.   Do you mean the socket should be
created in that directory?  Or that wpa_supplicant should be using some service
provided by NetworkManager?
Comment 15 Daniel Walsh 2007-08-21 13:03:22 EDT
Yes security wise, Apps running as root or with privs communicating on /tmp,
have been susceptible to mischief.

This also prevents tools like pam_namespace from working.  I just blogged on
this http://danwalsh.livejournal.com/11467.html

Yes if a daemon wants to communicate with userspace, they should open a socket
in /var/run/DAEMON and have DAC permissions that would allow the user to rw the
sock_file.  

I talked to Dan Williams on this and he told me Network Manager is moving
towards using dbus, which is the best solution.
Comment 16 Jim Radford 2007-08-21 14:04:58 EDT
(In reply to comment #15)
> Yes security wise, Apps running as root or with privs communicating on /tmp,
> have been susceptible to mischief.
> 
> This also prevents tools like pam_namespace from working.  I just blogged on
> this http://danwalsh.livejournal.com/11467.html
> 
> Yes if a daemon wants to communicate with userspace, they should open a socket
> in /var/run/DAEMON and have DAC permissions that would allow the user to rw the
> sock_file.  

The daemon creates sockets like the following:

  /var/run/wpa_supplicant/wlan0

then users in a group spelled out in the config file can run wpa_cli/wpa_gui
which then bind to a socket /tmp/wpa_gui-$$-$n and connect to the one in /var/run.

How *specifically* is this unsafe?
Comment 17 Daniel Walsh 2007-08-21 17:26:41 EDT
I am not saying it is unsafe, I am saying that things like this in the past have
been unsafe.  Who is creating the socket?  Does this would in a pam_namespace
environment?  Why are we using multiple methods to communicate with Network
Manager applications?  DBUS Communications is currently allowed.  Now I need to
allow unix domain communications between NetworkManager and any unconfined socket.
Comment 18 Bug Zapper 2008-05-14 09:57:40 EDT
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.

Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 7's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 7 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug. If you are unable to change the version, please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. If possible, it is recommended that you try the newest available Fedora distribution to see if your bug still exists.

Please read the Release Notes for the newest Fedora distribution to make sure it will meet your needs:
http://docs.fedoraproject.org/release-notes/

The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 19 Bug Zapper 2008-06-16 22:08:59 EDT
Fedora 7 changed to end-of-life (EOL) status on June 13, 2008. 
Fedora 7 is no longer maintained, which means that it will not 
receive any further security or bug fix updates. As a result we 
are closing this bug. 

If you can reproduce this bug against a currently maintained version 
of Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.