Bug 434590 - SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search" to (debugfs_t).
SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search" to...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-22 17:57 EST by Jonathan Underwood
Modified: 2008-11-17 17:03 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2008-02-22 17:57:59 EST
Description of problem:

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-21.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.2-10.fc8 #1 SMP Thu Feb 21
                              14:52:08 EST 2008 x86_64 x86_64
Alert Count                   8
First Seen                    Fri 22 Feb 2008 22:02:49 GMT
Last Seen                     Fri 22 Feb 2008 22:55:56 GMT
Local ID                      2a5f064f-40df-427f-ba3c-ecd23b9107bd
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2212 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0
Comment 1 Daniel Walsh 2008-02-26 08:56:35 EST
Fixed in selinux-policy-3.0.8-87.fc8
Comment 2 Jonathan Underwood 2008-02-26 16:36:38 EST
Still occurs with selinux-policy-3.0.8-87.fc8:

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-21.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.2-10.fc8 #1 SMP Thu Feb 21
                              14:52:08 EST 2008 x86_64 x86_64
Alert Count                   163
First Seen                    Fri 22 Feb 2008 22:02:49 GMT
Last Seen                     Tue 26 Feb 2008 21:36:02 GMT
Local ID                      2a5f064f-40df-427f-ba3c-ecd23b9107bd
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2267 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0

Comment 3 Daniel Walsh 2008-02-26 21:42:15 EST
Ok should be in selinux-policy-3.0.8-89.fc8 
Comment 4 Jason Grant 2008-03-30 05:19:02 EDT
I am still encountering this after upgrading to:

selinux-policy-3.0.8-93.fc8

Details below.

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-15.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     speck.logular.com
Platform                      Linux speck.logular.com 2.6.24.3-34.fc8 #1 SMP Wed
                              Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count                   51
First Seen                    Mon 24 Mar 2008 07:39:49 PM EST
Last Seen                     Sun 30 Mar 2008 08:05:32 PM EST
Local ID                      d6371885-1a87-439e-8f56-104ae06f4839
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2703 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0

Comment 5 Daniel Walsh 2008-03-30 06:25:46 EDT
Well the policy has been there for a long time.

Could you check if you have multiple kernel policies?

ls -l /etc/selinux/targeted/policy/policy*

If yes could you delete them  and execute
semodule -B
Comment 6 Daniel Walsh 2008-11-17 17:03:10 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.