Bug 292961 - SELinux errors for NetworkManager and wpa_supplicant while trying to connect to wireless network
SELinux errors for NetworkManager and wpa_supplicant while trying to connect ...
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-09-17 05:54 EDT by David Hislop
Modified: 2008-01-30 14:06 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-30 14:06:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description David Hislop 2007-09-17 05:54:30 EDT
Description of problem:
I get the following SELinux errors for NetworkManager and wpa_supplicant while
trying to connect to a wireless network with WPA2.
SELinux is preventing /usr/sbin/NetworkManager (NetworkManager_t) "unlink"
 to eth1 (var_run_t).
SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "write" to
 eth1 (var_run_t)

Stopped them occurring with:
grep NetworkManager /var/log/audit/audit.log | audit2allow -v -M \
grep wpa_supplicant /var/log/audit/audit.log | audit2allow -v -M mywpasupplicant
semodule -i mynetworkmanager.pp
semodule -i mywpasupplicant.pp

The attempt failed (that's a different problem :-( ) and another SELinux error:
SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "rmdir" to
 wpa_supplicant (var_run_t)

Fixed this with:
grep wpa_supplicant /var/log/audit/audit.log | audit2allow -v -M mywpasupplicant2
semodule -i mywpasupplicant2.pp

Do these need to be added to the standard distro or is it a problem peculiar to
my environment?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:

Additional info:
Comment 1 Daniel Walsh 2007-09-18 13:17:27 EDT
This has been fixed with the latest policy selinux-policy-2.6.4-42

You might need to relabel /var/run

restorecon -R -v /var/run
Comment 2 David Hislop 2007-09-18 18:31:17 EDT
Thanks for your help.

From where do I get selinux-policy-2.6.4-42? I can find only up to selinux-
policy-2.6.4-35 in ..../updates/testing/7/i386.

After installing it and running restorecon, will I need to reverse the changes 
I made with semodule, or will the update remove them?
Comment 3 Daniel Walsh 2007-09-22 07:56:29 EDT
Should be out there now.  It was just released.

It will add those rules, but not remove yours

You can execute 
semodule -r mynetworkmanager
semodule -r mywpasupplicant

to remove  your rules.
Comment 4 David Hislop 2007-09-23 00:17:14 EDT
Thanks, I've just received the update.
Comment 5 Daniel Walsh 2008-01-30 14:06:09 EST
Bulk closing a old selinux policy bugs that were in the modified state.  If the
bug is still not fixed.  Please reopen.

Note You need to log in before you can comment on or make changes to this bug.