Description of problem: Every time I enable/disable my wireless network hardware this SELinux message pops up. Version-Release number of selected component (if applicable): selinux-policy-3.0.8-56.fc8 NetworkManager-glib-0.7.0-0.5.svn3030.fc8 NetworkManager-0.7.0-0.5.svn3030.fc8 NetworkManager-gnome-0.7.0-0.5.svn3030.fc8 selinux-policy-devel-3.0.8-56.fc8 selinux-policy-targeted-3.0.8-56.fc8 net-tools-1.60-84.fc8 initscripts-8.60-1 How reproducible: Always Steps to Reproduce: 1. Enable/Disable WLAN interface 2. 3. Actual results: setroublshoot output: Summary SELinux is preventing /sbin/ifconfig (ifconfig_t) "read write" to socket (apmd_t). Detailed Description SELinux denied access requested by /sbin/ifconfig. It is not expected that this access is required by /sbin/ifconfig and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package. Additional Information Source Context: system_u:system_r:ifconfig_t:s0 Target Context: system_u:system_r:apmd_t:s0-s0:c0.c1023 Target Objects: socket [ unix_stream_socket ] Affected RPM Packages: net-tools-1.60-84.fc8 [application] Policy RPM: selinux-policy-3.0.8-56.fc8 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.catchall Host Name: [REMOVED] Platform: Linux [REMOVED] 2.6.23.1-49.fc8 #1 SMP Thu Nov 8 21:41:26 EST 2007 i686 i686 Alert Count: 29 First Seen: Sat 17 Nov 2007 06:42:38 PM EET Last Seen: Wed 21 Nov 2007 05:34:41 PM EET Local ID: 531c1d3f-8df8-4e97-a37d-8500e3300074 Line Numbers: Raw Audit Messages : avc: denied { read write } for comm=ifconfig dev=sockfs egid=0 euid=0 exe=/sbin/ifconfig exit=0 fsgid=0 fsuid=0 gid=0 items=0 path=socket:[74658] pid=14691 scontext=system_u:system_r:ifconfig_t:s0 sgid=0 subj=system_u:system_r:ifconfig_t:s0 suid=0 tclass=unix_stream_socket context=system_u:system_r:apmd_t:s0-s0:c0.c1023 tty=(none) uid=0 Expected results: No alert Additional info: This seems to be only a warning message. The function of the network interface seems not to be affected by it. I'm wondering about the "apmd_t". There is no APM BIOS on this system and therefore APM is disabled by the kernel: $ dmesg | fgrep apm apm: BIOS not found.
This looks like a leaked file descriptor in /usr/sbin/acpid All open file descriptors should be closed on exec fcntl(fd, F_SETFD, F_CLOEXEC)
Created attachment 267051 [details] ACPI WLAN enable/disable event script Ahh, that could explain it: on this system (Lenovo T60) I enable/disable WLAN with the RF kill switch that generates an ACPI event: $ cat /etc/acpi/events/ibm-wireless.conf # User has changed rfkill switch -> cycle device/driver event=ibm/hotkey.HKEY.*.0007000 action=/home/stefanb/laptop/wlan/ibm-wireless.sh example log from /var/log/message: Nov 22 16:44:38 l3f1199 acpid: received event "ibm/hotkey HKEY 00000080 00007000" Nov 22 16:44:38 l3f1199 acpid: notifying client 1865[68:68] Nov 22 16:44:38 l3f1199 acpid: notifying client 2000[0:0] Nov 22 16:44:38 l3f1199 acpid: executing action "/home/stefanb/laptop/wlan/ibm-wireless.sh" Nov 22 16:44:41 l3f1199 acpid: action exited with status 0 I've attached the script, nothing fancy there. Maybe this SELinux warning is generated, because ifconfig wants to print something to STDOUT/STDERR which are owned by the parent acpid process?
Dan: does comment #2 shed some light on this? Does the script do something illegal?
Hello, I'm not sure, but I think that SELinux might assume, that some intruder are trying to shut down interface, because the script is executed with wrong rights in wrong context. Anyway, your script isn't part of official package, so I don't create or append module to selinux-policy-targeted, but I'll try to find out, why is SELinux angry. If you'll find something, please, let me know. Thanks Zdenek
Would it help to "chcon" the script to a context that acpid is allowed to execute? What security context should acpid action/event scripts have? The examples from the acpid package have: -rw-r--r-- 1 system_u:object_r:etc_t:s0 root root 233 2007-10-23 19:12 power.conf -rw-r--r-- 1 system_u:object_r:etc_t:s0 root root 236 2007-10-23 19:12 video.conf
I now copied the script to # ls --lcontext /etc/acpi/actions/ -rwxr-xr-x 1 system_u:object_r:etc_t:s0 root root 651 2007-11-23 15:32 ibm-wireless.sh and updated the acpid. Still the same SELinux warning. So that didn't help. I also changed the ifconfig line in the script to ifconfig >/dev/null 2>&1 $device down and that also didn't help. So the gist of the problem seems to be that you can't run "ifconfig" in the security context of acpid.
I found a bug in a control of sockets. A script/ifconfig inherits all open file descriptors including file descriptors form sockets. So that is the reason why SELinux complaints. Those file descriptor shouldn't be inherited. I fixed it in the rawhide and it will be in F8 repo soon. Zdenek
Retested with acpid-1.0.6-4.fc8 from koji: no more SELinux warnings. Thanks!
acpid-1.0.6-4.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.