Bug 424611 - wpa_cli fails to connect to running wpa_supplicant due to selinux
Summary: wpa_cli fails to connect to running wpa_supplicant due to selinux
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 9
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-12-14 03:51 UTC by Gabriel Somlo
Modified: 2011-04-03 04:44 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-12-21 08:34:48 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Gabriel Somlo 2007-12-14 03:51:10 UTC
Description of problem:
wpa_cli fails to connect to running wpa_supplicant due to selinux

Version-Release number of selected component (if applicable):
0.5.7-16.fc8

How reproducible:
once wpa_supplicant is running, issue 'wpa_cli' command from terminal

Steps to Reproduce:
1. start wpa_supplicant: /etc/init.d/wpa_supplicant start
      this works fine, and the AP shows the client to be 'associated'
2. wpa_cli
      errors get logged to the terminal and various log files
  
Actual results:

wpa_cli fails to connect, prints following error message to stdout:

-----8<-------------------------------------
Selected interface 'eth1'
Warning: Failed to attach to wpa_supplicant.

Interactive mode

> 'PING' command timed out.
Connection to wpa_supplicant lost - trying to reconnect
Connection to wpa_supplicant re-established
Warning: Failed to attach to wpa_supplicant.
-----8<-------------------------------------

Expected results:

wpa_cli should connect to running wpa_supplicant.

Additional info:

The following info gets logged to /var/log/messages:

-----8<-------------------------------------
Dec 13 22:15:17 foober setroubleshoot: #012    SELinux is preventing the
/usr/sbin/wpa_supplicant from using potentially mislabeled files
(<Unknown>).#012     For complete SELinux messages. run sealert -l
8ae1292b-02e6-48c7-9889-b9b7dcfa0afe
-----8<-------------------------------------

The output of the 'sealert' command is:

-----8<-------------------------------------
sealert -l 8ae1292b-02e6-48c7-9889-b9b7dcfa0afe
Summary
    SELinux is preventing the wpa_supplicant from using potentially mislabeled
    files (<Unknown>).

Detailed Description
    SELinux has denied wpa_supplicant access to potentially mislabeled file(s)
    (<Unknown>).  This means that SELinux will not allow wpa_supplicant to use
    these files.  It is common for users to edit files in their home directory
    or tmp directories and then move (mv) them to system directories.  The
    problem is that the files end up with the wrong file context which confined
    applications are not allowed to access.

Allowing Access
    If you want wpa_supplicant to access this files, you need to relabel them
    using restorecon -v <Unknown>.  You might want to relabel the entire
    directory using restorecon -R -v <Unknown>.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:tmp_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         
Policy RPM                    selinux-policy-3.0.8-64.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.home_tmp_bad_labels
Host Name                     foober.net.cmu.edu
Platform                      Linux foober.net.cmu.edu 2.6.23.8-63.fc8 #1 SMP
                              Wed Nov 21 18:51:08 EST 2007 i686 i686
Alert Count                   215
First Seen                    Thu Dec 13 13:38:14 2007
Last Seen                     Thu Dec 13 22:16:10 2007
Local ID                      8ae1292b-02e6-48c7-9889-b9b7dcfa0afe
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=dm-0 name=tmp pid=13811
scontext=system_u:system_r:NetworkManager_t:s0 tclass=dir
tcontext=system_u:object_r:tmp_t:s0
-----8<-------------------------------------

Finally, this gets logged to /var/log/audit.log:

-----8<-------------------------------------
type=AVC msg=audit(1197602170.625:159): avc:  denied  { search } for  pid=13811
comm="wpa_supplicant" name="tmp" dev=dm-0 ino=491521
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=SYSCALL msg=audit(1197602170.625:159): arch=40000003 syscall=102 success=no
exit=-13 a0=10 a1=bfc93950 a2=0 a3=92dc9f0 items=0 ppid=1 pid=13811 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant"
subj=system_u:system_r:NetworkManager_t:s0 key=(null)
-----8<-------------------------------------

Comment 1 Maciej Żenczykowski 2008-04-03 23:40:02 UTC
[using wpa_supplicant-0.5.10-4.fc8.x86_64 from koji]

Ran into the same problem, managed to fix it (but I have no bloody idea about
selinux, so whether this is 'correct' security-wise I have no idea) by utilizing
the following (with help from audit2allow):

checkmodule -M -m -o wpacli.mod wpacli.te
semodule_package -o wpacli.pp -m wpacli.mod 
semodule -i wpacli.pp 

contents of file wpacli.te:

module wpacli 1.0;

require {
        type NetworkManager_t;
        type unconfined_t;
        type unconfined_tmp_t;
        class sock_file write;
        class unix_dgram_socket sendto;
}

#============= NetworkManager_t ==============
allow NetworkManager_t unconfined_t:unix_dgram_socket sendto;
allow NetworkManager_t unconfined_tmp_t:sock_file write;


Comment 2 Maciej Żenczykowski 2008-04-03 23:42:38 UTC
(you can add the semodule -i /path/to/wpacli.pp to /etc/rc.d/rc.local to make it
reload after a reboot, but I'm sure there's a better way to do all this...)

Comment 3 Dan Williams 2008-04-04 18:04:26 UTC
Dan, thoughts on this one?  wpa_cli just needs to talk to the wpa_supplicant
global control socket and the per-interface socket.  Unfortunately, the paths to
those sockets are specified in the wpa_supplciant config file, so if users
modify the default config they're on their own, but by default:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=wheel



Comment 4 Daniel Walsh 2008-04-06 11:15:48 UTC
Maciej  The policy modification is permanent, no reason to reload.

But the AVC above shows wpa_supplicant using tmp_t to communicate?  It also
looks like it wants to communicate with the unconfined_t user?

Comment 5 Maciej Żenczykowski 2008-04-06 18:17:42 UTC
As far as I can tell, the /var/run/wpa_supplicant/<interface> unix sockets are
only used to initiate the connection[s], and most actual information exchange
happens through temporary socket[s] created in /tmp (something like
/tmp/wpa_ctrl_<pid>).  I would assume this second aspect explains the tmp_t, and
the fact wpa_cli probably runs as unconfined_t explains that...  [ie. there's
the wpa_cli command line (and wpa_gui as well I think) which runs as the user
talking to the wpa_supplicant daemon.

I'm afraid I have very little actual selinux know-how in order to better figure
out how this should be setup... maybe wpa_cli should not be running as unconfined_t?

Comment 6 Bug Zapper 2008-11-26 09:00:09 UTC
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 7 Maciej Żenczykowski 2008-11-26 10:39:12 UTC
I don't have a system which is 'clean enough' to verify if this is fixed or not.  Were any changes actually made to the policies?

Comment 8 Daniel Walsh 2008-11-27 12:09:22 UTC
It looks like current policy has rules to allow this.

Comment 9 Tomas Hoger 2008-11-27 13:35:07 UTC
wpa_cli <-> wpa_supplicant communication still does not seem to work in F9 with:

# rpm -q wpa_supplicant selinux-policy
wpa_supplicant-0.6.4-2.fc9
selinux-policy-3.3.1-107.fc9

type=AVC msg=audit(1227792415.809:239): avc:  denied  { sendto } for  pid=8592 comm="wpa_supplicant" path="/tmp/wpa_ctrl_8594-1" scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket

/tmp/wpa_ctrl_<pid>-<seq-id> seems to be the socket created by wpa_cli, which runs unconfined when started from the command line.  Additionally, that id seems to increment with each failed PING from _cli to _supplicant.

I didn't have time to dig deeper, maybe running wpa_cli confined may be the easiest / cleanest solution.

Comment 10 Daniel Walsh 2008-12-01 21:52:36 UTC
Could you try selinux-policy-3.3.1-111.fc9

Comment 11 Tomas Hoger 2008-12-02 08:46:14 UTC
Same problem as in comment #9 with selinux-policy-3.3.1-111.fc9.

Comment 12 Daniel Walsh 2008-12-02 16:40:58 UTC
Miroslav, 

You need 

userdom_dgram_send(NetworkManager_t)

added to networkmanager.te

and


########################################
## <summary>
##	Send a message to unpriv users over a unix domain
##	datagram socket.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`userdom_dgram_send',`
	gen_require(`
		attribute 
	')

	allow $1 unpriv_userdomain;:unix_dgram_socket sendto;
')

Comment 13 Miroslav Grepl 2008-12-09 11:29:53 UTC
Fixed in selinux-policy-3.3.1-115.fc9.noarch

Comment 14 Fedora Update System 2008-12-09 11:32:53 UTC
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9

Comment 15 Fedora Update System 2008-12-10 04:39:13 UTC
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122

Comment 16 Tomas Hoger 2008-12-10 08:11:01 UTC
Works with selinux-policy-3.3.1-115.fc9

Comment 17 Fedora Update System 2008-12-15 16:34:30 UTC
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9

Comment 18 Fedora Update System 2008-12-21 08:34:37 UTC
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Aleksey Nogin 2011-04-03 04:44:31 UTC
Note - this still exists in RHEL 5. I've filed bug 693149 against RHEL about this.


Note You need to log in before you can comment on or make changes to this bug.