Bug 434590 - SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search" to (debugfs_t).
Summary: SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search" to...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-22 22:57 UTC by Jonathan Underwood
Modified: 2008-11-17 22:03 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:03:10 UTC


Attachments (Terms of Use)

Description Jonathan Underwood 2008-02-22 22:57:59 UTC
Description of problem:

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-21.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-84.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.2-10.fc8 #1 SMP Thu Feb 21
                              14:52:08 EST 2008 x86_64 x86_64
Alert Count                   8
First Seen                    Fri 22 Feb 2008 22:02:49 GMT
Last Seen                     Fri 22 Feb 2008 22:55:56 GMT
Local ID                      2a5f064f-40df-427f-ba3c-ecd23b9107bd
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2212 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0

Comment 1 Daniel Walsh 2008-02-26 13:56:35 UTC
Fixed in selinux-policy-3.0.8-87.fc8

Comment 2 Jonathan Underwood 2008-02-26 21:36:38 UTC
Still occurs with selinux-policy-3.0.8-87.fc8:

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-21.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     renton.jgu
Platform                      Linux renton.jgu 2.6.24.2-10.fc8 #1 SMP Thu Feb 21
                              14:52:08 EST 2008 x86_64 x86_64
Alert Count                   163
First Seen                    Fri 22 Feb 2008 22:02:49 GMT
Last Seen                     Tue 26 Feb 2008 21:36:02 GMT
Local ID                      2a5f064f-40df-427f-ba3c-ecd23b9107bd
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2267 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0



Comment 3 Daniel Walsh 2008-02-27 02:42:15 UTC
Ok should be in selinux-policy-3.0.8-89.fc8 

Comment 4 Jason Grant 2008-03-30 09:19:02 UTC
I am still encountering this after upgrading to:

selinux-policy-3.0.8-93.fc8

Details below.

Summary
    SELinux is preventing /usr/sbin/wpa_supplicant (NetworkManager_t) "search"
    to <Unknown> (debugfs_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/wpa_supplicant. It is not
    expected that this access is required by /usr/sbin/wpa_supplicant and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:debugfs_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         wpa_supplicant-0.5.7-15.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-93.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     speck.logular.com
Platform                      Linux speck.logular.com 2.6.24.3-34.fc8 #1 SMP Wed
                              Mar 12 18:17:20 EDT 2008 i686 i686
Alert Count                   51
First Seen                    Mon 24 Mar 2008 07:39:49 PM EST
Last Seen                     Sun 30 Mar 2008 08:05:32 PM EST
Local ID                      d6371885-1a87-439e-8f56-104ae06f4839
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=wpa_supplicant dev=debugfs egid=0 euid=0
exe=/usr/sbin/wpa_supplicant exit=0 fsgid=0 fsuid=0 gid=0 items=0 name=keys
pid=2703 scontext=system_u:system_r:NetworkManager_t:s0 sgid=0
subj=system_u:system_r:NetworkManager_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:debugfs_t:s0 tty=(none) uid=0



Comment 5 Daniel Walsh 2008-03-30 10:25:46 UTC
Well the policy has been there for a long time.

Could you check if you have multiple kernel policies?

ls -l /etc/selinux/targeted/policy/policy*

If yes could you delete them  and execute
semodule -B


Comment 6 Daniel Walsh 2008-11-17 22:03:10 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.