Bug 459324 - Kismet fails to launch due to SELinux Policy
Kismet fails to launch due to SELinux Policy
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
athlon Linux
medium Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
: 448105 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2008-08-16 10:24 EDT by Beech Horn
Modified: 2009-06-10 03:49 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-06-10 03:49:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Kismet AVC Report 1 (2.78 KB, text/plain)
2008-08-17 06:52 EDT, Beech Horn
no flags Details
Kismet AVC Report 2 (2.58 KB, text/plain)
2008-08-17 06:52 EDT, Beech Horn
no flags Details
SELinux error report 1 (2.67 KB, text/plain)
2008-09-25 08:51 EDT, Jean-Francois Saucier
no flags Details
SELinux error report 2 (2.84 KB, text/plain)
2008-09-25 08:51 EDT, Jean-Francois Saucier
no flags Details
SELinux error report 3 (2.58 KB, text/plain)
2008-10-03 22:16 EDT, Jean-Francois Saucier
no flags Details
SELinux alert error (2.58 KB, text/plain)
2008-10-16 14:32 EDT, Jean-Francois Saucier
no flags Details
Command line output (2.34 KB, text/plain)
2008-10-16 14:32 EDT, Jean-Francois Saucier
no flags Details
SELinux report error (2.57 KB, text/plain)
2008-10-31 16:58 EDT, Jean-Francois Saucier
no flags Details
kismet_selinux_error_f10 (2.52 KB, text/plain)
2008-12-01 19:19 EST, Jean-Francois Saucier
no flags Details
Log output from Kismet (2.76 KB, text/plain)
2008-12-12 09:31 EST, Jean-Francois Saucier
no flags Details
AVC message from Kismet (7.73 KB, text/plain)
2008-12-12 09:32 EST, Jean-Francois Saucier
no flags Details
AVC messages from Kismet (2.82 KB, text/plain)
2009-01-09 09:16 EST, Jean-Francois Saucier
no flags Details
SELinux AVC errors F10 (8.55 KB, text/plain)
2009-02-09 19:46 EST, Jean-Francois Saucier
no flags Details
Console debug F10 (2.83 KB, text/plain)
2009-02-09 19:46 EST, Jean-Francois Saucier
no flags Details
SELinux Permissive AVC logs (12.39 KB, application/octet-stream)
2009-02-10 15:33 EST, Jean-Francois Saucier
no flags Details

  None (edit)
Description Beech Horn 2008-08-16 10:24:26 EDT
Description of problem: Kismet fails to launch due to SELinux Policy.

Version-Release number of selected component (if applicable): 0.0.2008.05.R1-2.fc9

How reproducible: Everytime.

Steps to Reproduce:
1. Install kismet.
2. Edit /etc/kismet/kismet.conf and change suiduser and source.
3. An AVC message will appear (the sheriff starred setroubleshoot).
Actual results: Kismet fails to launch.

Expected results: Kismet launches.

Additional info: setroubleshoot suggested I post this bug report.
Comment 1 Gianluca Varisco 2008-08-16 12:21:11 EDT

Could you send here the AVC denial as attachment?
Comment 2 Beech Horn 2008-08-17 06:52:12 EDT
Created attachment 314440 [details]
Kismet AVC Report 1
Comment 3 Beech Horn 2008-08-17 06:52:53 EDT
Created attachment 314442 [details]
Kismet AVC Report 2
Comment 4 marco crosio 2008-08-24 01:47:12 EDT
*** Bug 448105 has been marked as a duplicate of this bug. ***
Comment 5 Adam Pribyl 2008-08-25 14:34:20 EDT
Older bug is a duplicate of a newer? Never mind if somebody fixes it...
Comment 6 Daniel Walsh 2008-08-29 16:40:10 EDT
Fixed in selinux-policy-3.3.1-87.fc9
Comment 7 Jean-Francois Saucier 2008-09-25 08:50:15 EDT
Ok, here I seem to continue to have a problem between Kismet and SELinux.

Packages version :


If I set SELinux in permissive mode, everything work fine.
Comment 8 Jean-Francois Saucier 2008-09-25 08:51:25 EDT
Created attachment 317684 [details]
SELinux error report 1
Comment 9 Jean-Francois Saucier 2008-09-25 08:51:42 EDT
Created attachment 317685 [details]
SELinux error report 2
Comment 10 Daniel Walsh 2008-09-25 15:10:26 EDT
Fixed in selinux-policy-3.3.1-95.fc9
Comment 11 Jean-Francois Saucier 2008-10-03 22:15:48 EDT
Ok, I have tested with the new package and I now have another error.

Packages version :

Comment 12 Jean-Francois Saucier 2008-10-03 22:16:22 EDT
Created attachment 319440 [details]
SELinux error report 3
Comment 13 Daniel Walsh 2008-10-06 12:38:58 EDT
Fixed in selinux-policy-3.3.1-99.fc9
Comment 14 Jean-Francois Saucier 2008-10-16 14:31:44 EDT
Ok, it don't seems to be fixed. I will attach the command line output error and the SELinux error.

Packages version :


Thank you.
Comment 15 Jean-Francois Saucier 2008-10-16 14:32:17 EDT
Created attachment 320588 [details]
SELinux alert error
Comment 16 Jean-Francois Saucier 2008-10-16 14:32:35 EDT
Created attachment 320589 [details]
Command line output
Comment 17 Daniel Walsh 2008-10-16 15:34:55 EDT
Well I check selinux-policy-3.3.1-101.fc9.noarch

And it is there.
Comment 18 Jean-Francois Saucier 2008-10-31 16:58:07 EDT
The same error is here with packages :


Is there anything more that I can provide or do? I will attach the new report fro SELinux.
Comment 19 Jean-Francois Saucier 2008-10-31 16:58:33 EDT
Created attachment 322133 [details]
SELinux report error
Comment 20 Daniel Walsh 2008-11-03 14:21:47 EST
# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.3.1-106.fc9.noarch
Comment 21 Jean-Francois Saucier 2008-12-01 19:19:28 EST
Kismet fail to launch on a default F10 install with updates and SELinux enabled.

I will attach the avc error.
Comment 22 Jean-Francois Saucier 2008-12-01 19:19:55 EST
Created attachment 325319 [details]
Comment 23 Daniel Walsh 2008-12-02 11:04:47 EST
You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-28.fc10
Comment 24 Jean-Francois Saucier 2008-12-12 09:31:15 EST
It's me again ;)

I have updated to selinux-policy-targeted-3.5.13-30.fc10.noarch and I have another problem with SELinux.

I will attach the SELinux debug log and the AVC alert.

Thank you.
Comment 25 Jean-Francois Saucier 2008-12-12 09:31:42 EST
Created attachment 326731 [details]
Log output from Kismet
Comment 26 Jean-Francois Saucier 2008-12-12 09:32:04 EST
Created attachment 326732 [details]
AVC message from Kismet
Comment 27 Daniel Walsh 2008-12-12 09:39:13 EST
You can allow this for now.

# audit2allow -M mypol -l -i /var/log/audit/audit.log
# semodule -i mypol.pp

Fixed in selinux-policy-3.5.13-35.fc10
Comment 28 Jean-Francois Saucier 2009-01-09 09:15:48 EST
There is an error with SELinux permission on xterm and kismet, here is the debug log from kismet and I will attach the AVC messages :

Looking for startup info from localhost:2501..... found.
Connected to Kismet server 2008.05.R1 on localhost:2501
Reading AP manufacturer data and defaults from /etc/kismet/ap_manuf
Reading client manufacturer data and defaults from /etc/kismet/client_manuf
Error opening terminal: xterm.
Didn't see any weak encryption packets, unlinking weak file
Sending termination request to channel control child 5264...

RPM packages version :

Thank you
Comment 29 Jean-Francois Saucier 2009-01-09 09:16:32 EST
Created attachment 328549 [details]
AVC messages from Kismet
Comment 30 Daniel Walsh 2009-01-12 15:30:00 EST
How is your kismet_client labeled?

ls -lZ /usr/bin/kismet_client?

Does kidmet execute the kismet_client?
Comment 31 Jean-Francois Saucier 2009-01-12 16:04:18 EST
My kismet_client is labeled : 

jeff@portable ~ $ ls -lZ /usr/bin/kismet_client 
-rwxr-xr-x  root root system_u:object_r:bin_t:s0       /usr/bin/kismet_client

And after a restorecon on the file, it stay at that label.

I think that kismet execute the kismet_client because in the log, it says it connect to the server on port localhost:2501.

If you need more informations, I will be glad to provide it.
Comment 32 Daniel Walsh 2009-01-13 09:47:12 EST
Ok that explains it, I see no reason why this should not be allowed.

Miroslav could you add


to F9 and F10 policy.
Comment 33 Miroslav Grepl 2009-01-14 09:02:49 EST
Fixed in selinux-policy-3.3.1-118.fc9.noarch
Comment 34 Jean-Francois Saucier 2009-02-09 19:45:28 EST
The last update now permit to run Kismet with the default SELinux policy in place with F9 and F10.

But now that kismet start just fine, it throw up those SELinux AVC errors when running on F10. I have not tested this bug with F9 for now but will try to do later this week.

I will attach the console debug logs and SELinux AVC errors log.

Version : 


Thank you.
Comment 35 Jean-Francois Saucier 2009-02-09 19:46:14 EST
Created attachment 331383 [details]
SELinux AVC errors F10
Comment 36 Jean-Francois Saucier 2009-02-09 19:46:45 EST
Created attachment 331384 [details]
Console debug F10
Comment 37 Daniel Walsh 2009-02-10 09:04:34 EST
Looks like kismet_client is trying to play a sound when it starts?
Comment 38 Jean-Francois Saucier 2009-02-10 09:52:25 EST
It seems so, kismet play sound when it detect an access point.

The AVC errors don't seem to affect kismet functionality for the moment, apart from the sound.
Comment 39 Daniel Walsh 2009-02-10 15:13:32 EST
Could you put kismet_t in permissive mode and then grab all of the avc's when it plays a sound

# semanage permissive -a kismet_t

Get kismet_t to play a sound

# semanage permissive -d kismet_t

Attach /var/log/audit/audit.log.
Comment 40 Jean-Francois Saucier 2009-02-10 15:33:12 EST
Created attachment 331467 [details]
SELinux Permissive AVC logs

This is all the AVC logs for the commands you ask.
Comment 41 Daniel Walsh 2009-02-10 15:46:58 EST
Miroslav, I have made changes for this in Rawhide policy, you need to update F9 and F10 to allow these.
Comment 42 Miroslav Grepl 2009-02-19 12:08:36 EST
Fixed in selinux-policy-3.3.1-124.fc9
Comment 43 Mike C 2009-03-07 13:30:17 EST
I have been unable to get kismet working in f10 also ( at all! )... I currently have 

When I start kismet I get two WARNINGS:
Unable to open '/etc/kismet/ap_manuf' for reading (Permission denied)
Unable to open '/etc/kismet/client_manuf' for reading (Permission denied)
but kismet does continue past this point and starts the logging. It gives the correct message about Listening on port 2501 and "Allowing connections....."

It continues to "Gathering packets..." and then 
Launching kismet_client: /usr/bin/kismet_client
Launched client, pid 3508
NOTICE: configdir '/root/' does not exist, making it.
FATAL: Cound not make configdir: File exists
Then the session hangs

I did do the trick with semanage -i ****.pp as suggested above before this test after getting avc denials.

There is an avc denial at the time the process hangs with SElinux preventing the kismet_server from using the potentially mislabeled files (./kismet)

Is this already known and about to be fixed in new policy not yet released?
Comment 44 Daniel Walsh 2009-03-09 10:27:35 EDT
Mike please open a new bugzilla rather then responding to an old one.

I believe you probably have mislabeled files in /etc/kismet

restorecon -R -v /etc/kismet

To see if this changes anything.

It is probably not a good idea to have kismets "configdir" in the /root directory.
Not sure what that is.
Comment 45 Mike C 2009-03-09 13:35:02 EDT
OK Dan but it will be a day or two as I have other tasks to be done first before investigating kismet again. I have no idea in which directory this configdir is but it is certainly not in the real /root directory. I did restorecon for /etc/kismet but nothing changed... however I note that the new policy was implemented for f9 but not f10 as per #42!
Comment 46 Jean-Francois Saucier 2009-03-12 13:50:04 EDT
Good news!

I have been using kismet for a while with the following version and everything work fine! No more AVC errors when starting, running or playing a sound.


A big thanks to everyone for solving this issue! I think we can close this bug now.
Comment 47 Bug Zapper 2009-06-09 22:29:10 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 

Note You need to log in before you can comment on or make changes to this bug.