Red Hat Bugzilla – Bug 424611
wpa_cli fails to connect to running wpa_supplicant due to selinux
Last modified: 2011-04-03 00:44:31 EDT
Description of problem: wpa_cli fails to connect to running wpa_supplicant due to selinux Version-Release number of selected component (if applicable): 0.5.7-16.fc8 How reproducible: once wpa_supplicant is running, issue 'wpa_cli' command from terminal Steps to Reproduce: 1. start wpa_supplicant: /etc/init.d/wpa_supplicant start this works fine, and the AP shows the client to be 'associated' 2. wpa_cli errors get logged to the terminal and various log files Actual results: wpa_cli fails to connect, prints following error message to stdout: -----8<------------------------------------- Selected interface 'eth1' Warning: Failed to attach to wpa_supplicant. Interactive mode > 'PING' command timed out. Connection to wpa_supplicant lost - trying to reconnect Connection to wpa_supplicant re-established Warning: Failed to attach to wpa_supplicant. -----8<------------------------------------- Expected results: wpa_cli should connect to running wpa_supplicant. Additional info: The following info gets logged to /var/log/messages: -----8<------------------------------------- Dec 13 22:15:17 foober setroubleshoot: #012 SELinux is preventing the /usr/sbin/wpa_supplicant from using potentially mislabeled files (<Unknown>).#012 For complete SELinux messages. run sealert -l 8ae1292b-02e6-48c7-9889-b9b7dcfa0afe -----8<------------------------------------- The output of the 'sealert' command is: -----8<------------------------------------- sealert -l 8ae1292b-02e6-48c7-9889-b9b7dcfa0afe Summary SELinux is preventing the wpa_supplicant from using potentially mislabeled files (<Unknown>). Detailed Description SELinux has denied wpa_supplicant access to potentially mislabeled file(s) (<Unknown>). This means that SELinux will not allow wpa_supplicant to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access If you want wpa_supplicant to access this files, you need to relabel them using restorecon -v <Unknown>. You might want to relabel the entire directory using restorecon -R -v <Unknown>. Additional Information Source Context system_u:system_r:NetworkManager_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects None [ dir ] Affected RPM Packages Policy RPM selinux-policy-3.0.8-64.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.home_tmp_bad_labels Host Name foober.net.cmu.edu Platform Linux foober.net.cmu.edu 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 i686 Alert Count 215 First Seen Thu Dec 13 13:38:14 2007 Last Seen Thu Dec 13 22:16:10 2007 Local ID 8ae1292b-02e6-48c7-9889-b9b7dcfa0afe Line Numbers Raw Audit Messages avc: denied { search } for comm=wpa_supplicant dev=dm-0 name=tmp pid=13811 scontext=system_u:system_r:NetworkManager_t:s0 tclass=dir tcontext=system_u:object_r:tmp_t:s0 -----8<------------------------------------- Finally, this gets logged to /var/log/audit.log: -----8<------------------------------------- type=AVC msg=audit(1197602170.625:159): avc: denied { search } for pid=13811 comm="wpa_supplicant" name="tmp" dev=dm-0 ino=491521 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir type=SYSCALL msg=audit(1197602170.625:159): arch=40000003 syscall=102 success=no exit=-13 a0=10 a1=bfc93950 a2=0 a3=92dc9f0 items=0 ppid=1 pid=13811 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) -----8<-------------------------------------
[using wpa_supplicant-0.5.10-4.fc8.x86_64 from koji] Ran into the same problem, managed to fix it (but I have no bloody idea about selinux, so whether this is 'correct' security-wise I have no idea) by utilizing the following (with help from audit2allow): checkmodule -M -m -o wpacli.mod wpacli.te semodule_package -o wpacli.pp -m wpacli.mod semodule -i wpacli.pp contents of file wpacli.te: module wpacli 1.0; require { type NetworkManager_t; type unconfined_t; type unconfined_tmp_t; class sock_file write; class unix_dgram_socket sendto; } #============= NetworkManager_t ============== allow NetworkManager_t unconfined_t:unix_dgram_socket sendto; allow NetworkManager_t unconfined_tmp_t:sock_file write;
(you can add the semodule -i /path/to/wpacli.pp to /etc/rc.d/rc.local to make it reload after a reboot, but I'm sure there's a better way to do all this...)
Dan, thoughts on this one? wpa_cli just needs to talk to the wpa_supplicant global control socket and the per-interface socket. Unfortunately, the paths to those sockets are specified in the wpa_supplciant config file, so if users modify the default config they're on their own, but by default: ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=wheel
Maciej The policy modification is permanent, no reason to reload. But the AVC above shows wpa_supplicant using tmp_t to communicate? It also looks like it wants to communicate with the unconfined_t user?
As far as I can tell, the /var/run/wpa_supplicant/<interface> unix sockets are only used to initiate the connection[s], and most actual information exchange happens through temporary socket[s] created in /tmp (something like /tmp/wpa_ctrl_<pid>). I would assume this second aspect explains the tmp_t, and the fact wpa_cli probably runs as unconfined_t explains that... [ie. there's the wpa_cli command line (and wpa_gui as well I think) which runs as the user talking to the wpa_supplicant daemon. I'm afraid I have very little actual selinux know-how in order to better figure out how this should be setup... maybe wpa_cli should not be running as unconfined_t?
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
I don't have a system which is 'clean enough' to verify if this is fixed or not. Were any changes actually made to the policies?
It looks like current policy has rules to allow this.
wpa_cli <-> wpa_supplicant communication still does not seem to work in F9 with: # rpm -q wpa_supplicant selinux-policy wpa_supplicant-0.6.4-2.fc9 selinux-policy-3.3.1-107.fc9 type=AVC msg=audit(1227792415.809:239): avc: denied { sendto } for pid=8592 comm="wpa_supplicant" path="/tmp/wpa_ctrl_8594-1" scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_dgram_socket /tmp/wpa_ctrl_<pid>-<seq-id> seems to be the socket created by wpa_cli, which runs unconfined when started from the command line. Additionally, that id seems to increment with each failed PING from _cli to _supplicant. I didn't have time to dig deeper, maybe running wpa_cli confined may be the easiest / cleanest solution.
Could you try selinux-policy-3.3.1-111.fc9
Same problem as in comment #9 with selinux-policy-3.3.1-111.fc9.
Miroslav, You need userdom_dgram_send(NetworkManager_t) added to networkmanager.te and ######################################## ## <summary> ## Send a message to unpriv users over a unix domain ## datagram socket. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`userdom_dgram_send',` gen_require(` attribute ') allow $1 unpriv_userdomain;:unix_dgram_socket sendto; ')
Fixed in selinux-policy-3.3.1-115.fc9.noarch
selinux-policy-3.3.1-115.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-115.fc9
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing-newkey update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F9/FEDORA-2008-11122
Works with selinux-policy-3.3.1-115.fc9
selinux-policy-3.3.1-116.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/selinux-policy-3.3.1-116.fc9
selinux-policy-3.3.1-115.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
Note - this still exists in RHEL 5. I've filed bug 693149 against RHEL about this.