Bug 477283 - wpa_supplicant prevented from accessing /etc/wpa_supplicant/wpa_supplicant.conf
wpa_supplicant prevented from accessing /etc/wpa_supplicant/wpa_supplicant.conf
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity high
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On: 477109
  Show dependency treegraph
Reported: 2008-12-19 20:17 EST by Dan Williams
Modified: 2008-12-22 10:36 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-22 10:36:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dan Williams 2008-12-19 20:17:56 EST
+++ This bug was initially created as a clone of Bug #477109 +++

Description of problem:

Wireless no longer works after upgrade to Fedora 10

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.sudo /usr/sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -Dmadwifi -d
Actual results:

Initializing interface 'wlan0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'madwifi' ctrl_interface 'N/A' bridge 'N/A'
Unsupported driver 'madwifi'.

Failed to add interface wlan0
Cancelling scan request
Cancelling authentication timeout

Expected results:

wpa_supplicant to load

Additional info:

I have an old DELL Inspiron 5000e laptop that was working fine on
Fedora 9. Since I upgraded it to Fedora 10 I have been unable to get
my wireless to work. It was working well on Fedora 9

My trouble seems to be related to being unable to load wpa_supplicant
(with the correct interface and driver)

/home/mhd: sudo /usr/sbin/wpa_supplicant -c/etc/wpa_supplicant/wpa_supplicant.conf -iwlan0 -Dmadwifi -d
Initializing interface 'wlan0' conf '/etc/wpa_supplicant/wpa_supplicant.conf' driver 'madwifi' ctrl_interface 'N/A' bridge 'N/A'
Unsupported driver 'madwifi'.

Failed to add interface wlan0
Cancelling scan request
Cancelling authentication timeout

My wireless card is found by:

/home/mhd: /sbin/lspci
00:00.0 Host bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX Host bridge (rev 03)
00:01.0 PCI bridge: Intel Corporation 440BX/ZX/DX - 82443BX/ZX/DX AGP bridge (rev 03)
00:04.0 CardBus bridge: Texas Instruments PCI1225 (rev 01)
00:04.1 CardBus bridge: Texas Instruments PCI1225 (rev 01)
00:07.0 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ISA (rev 02)
00:07.1 IDE interface: Intel Corporation 82371AB/EB/MB PIIX4 IDE (rev 01)
00:07.2 USB Controller: Intel Corporation 82371AB/EB/MB PIIX4 USB (rev 01)
00:07.3 Bridge: Intel Corporation 82371AB/EB/MB PIIX4 ACPI (rev 03)
00:08.0 Multimedia audio controller: ESS Technology ES1978 Maestro 2E (rev 10)
00:10.0 Communication controller: Agere Systems WinModem 56k (rev 01)
01:00.0 VGA compatible controller: ATI Technologies Inc Rage Mobility M3 AGP 2x (rev 02)
02:00.0 Ethernet controller: Atheros Communications Inc. AR5212/AR5213 Multiprotocol MAC/baseband processor (rev 01)
06:00.0 Ethernet controller: Xircom Cardbus Ethernet 10/100 (rev 03)

The relevant modules are found by:

/home/mhd: /sbin/lsmod | grep ath
dm_multipath           17164  0 
ath_rate_sample        14848  1 
ath_pci               162360  0 
wlan                  189748  5 wlan_tkip,wlan_scan_sta,ath_rate_sample,ath_pci
ath_hal               302176  3 ath_rate_sample,ath_pci

Here is my ifcfg-wlan0

# Atheros Communications Inc. AR5212/AR5213 Multiprotocol MAC/baseband processor
ESSID=<my ap ssid>

and my /etc/wpa_supplicant/wpa_supplicant.conf

/home/mhd: sudo cat /etc/wpa_supplicant/wpa_supplicant.conf
[sudo] password for mhd: 

        ssid="my ssid"
        psk="my key"

to find my kernel:

/home/mhd: uname -a
Linux localhost.localdomain #1 SMP Mon Dec 1 22:42:50 EST 2008 i686 i686 i386 GNU/Linux

and the madwifi driver comes from:
/home/mhd: yum list '*madwifi*'
Loaded plugins: refresh-packagekit
Installed Packages
kmod-madwifi.i686                                           0.9.4-60.r3861_20080903.fc10.12                 installed                
kmod-madwifi-                    0.9.4-60.r3861_20080903.fc10.12                 installed                
madwifi.i386                                                0.9.4-60.r3861_20080903.fc10                    installed                

Perhaps wpa_supplicant is not lying and that the madwifi driver has been dropped:

/home/mhd: /usr/sbin/wpa_supplicant
wpa_supplicant v0.6.4
Copyright (c) 2003-2008, Jouni Malinen <j@w1.fi> and contributors

This program is free software. You can distribute it and/or modify it
under the terms of the GNU General Public License version 2.

Alternatively, this software may be distributed under the terms of the
BSD license. See README and COPYING for more details.

This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit (http://www.openssl.org/)

  wpa_supplicant [-BddhKLqqtuvW] [-P<pid file>] [-g<global ctrl>] \
        -i<ifname> -c<config file> [-C<ctrl>] [-D<driver>] [-p<driver_param>] \
        [-b<br_ifname>] [-f<debug file>] \
        [-N -i<ifname> -c<conf> [-C<ctrl>] [-D<driver>] \
        [-p<driver_param>] [-b<br_ifname>] ...]

  wext = Linux wireless extensions (generic)
  atmel = ATMEL AT76C5XXx (USB, PCMCIA)
  ndiswrapper = Linux ndiswrapper
  wired = wpa_supplicant wired Ethernet driver
  -b = optional bridge interface name
  -B = run daemon in the background
  -c = Configuration file
  -C = ctrl_interface parameter (only used if -c is not)
  -i = interface name
  -d = increase debugging verbosity (-dd even more)
  -D = driver name
  -f = log output to debug file instead of stdout
  -g = global ctrl_interface
  -K = include keys (passwords, etc.) in debug output
  -t = include timestamp in debug messages
  -h = show this help text
  -L = show license (GPL and BSD)
  -p = driver parameters
  -P = PID file
  -q = decrease debugging verbosity (-qq even less)
  -u = enable DBus control interface
  -v = show version
  -W = wait for a control interface monitor before starting
  -N = start describing new interface
  wpa_supplicant -Dwext -iwlan0 -c/etc/wpa_supplicant.conf

/home/mhd: yum list wpa_supplicant
Loaded plugins: refresh-packagekit
Installed Packages
wpa_supplicant.i386       1:0.6.4-2.fc10     installed

--- Additional comment from dcbw@redhat.com on 2008-12-19 11:29:12 EDT ---

The 'madwifi' wpa_supplicant driver is not supported by Fedora because the kernel includes the official 'ath5k' and 'ath9k' drivers that support the same hardware, and because madwifi was never part of the upstream kernel.  Please try one of those, or if the card is for some reason not suported by one of those drivers, then we need to add support for that card to the upstream kernel.

--- Additional comment from webmaster@scmta-trails.org on 2008-12-19 17:37:08 EDT ---

Thank you.

The wireless on my laptop is working fine now after a little struggle. I removed all traces of 'madwifi' from the system but still struggled until I found that selinux was denying wpa_supplicant access to /etc/wpa_supplicant/wpa_supplicant.conf. After setting permissive mode (as usual) for selinux and rebooting I was up and running.

Wireless is difficult on linux. I always struggle to make it work. I had settled on atheros chipsets and madwifi because that combination consistantly worked. I've been unlucky otherwise.

Selinux is even more difficult. There should be an easy way to let it just do those (determined to be safe) few things. I am sure that most users just do as I do and set permissive mode and give up the added security of selinux.

My posting may not have been totally useless because others, having the same problems as I did, may see it, and get themselves up and running quicker than I did.

Thanks again.

--- Additional comment from dcbw@redhat.com on 2008-12-19 17:56:51 EDT ---

Have you tried using NetworkManager at all?  For most cases, it makes network connections (wired, wireless, cellular) a lot easier.  Atheros chips are a much better bet these days since Atheros itself is actually contributing to the drivers in the Linux kernel.

Any chance you could grab the specific SELinux denial message from /var/log/messages and file a new bug report for that against the 'selinux-policy' package in Bugzilla?  If we can fix all the common denials (which we try to do), then it becomes much easier for stuff to work out of the box.  You could also have tried to relabel (by, as root, 'touch /.autorelabel' and rebooting).  Sometimes labels get messed up if you install files over top of ones shipped with Fedora.  Anyway, if we could fix the error even though you've worked around it that would be great.

--- Additional comment from webmaster@scmta-trails.org on 2008-12-19 19:44:20 EDT ---

/home/mhd: sealert -l 560183af-f100-4cd8-a378-30355ae09a4d


SELinux is preventing wpa_supplicant (NetworkManager_t) "getattr" to
/etc/wpa_supplicant/wpa_supplicant.conf (dosfs_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by wpa_supplicant.
/etc/wpa_supplicant/wpa_supplicant.conf may be a mislabeled.
/etc/wpa_supplicant/wpa_supplicant.conf default SELinux type is etc_t, but its
current type is dosfs_t. Changing this file back to the default type, may fix
your problem.

File contexts can be assigned to a file in the following ways.

  * Files created in a directory receive the file context of the parent
    directory by default.
  * The SELinux policy might override the default label inherited from the
    parent directory by specifying a process running in context A which creates
    a file in a directory labeled B will instead create the file with label C.
    An example of this would be the dhcp client running with the dhclient_t type
    and creates a file in the directory /etc. This file would normally receive
    the etc_t type due to parental inheritance but instead the file is labeled
    with the net_conf_t type because the SELinux policy specifies this.
  * Users can change the file context on a file using tools such as chcon, or

This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.

If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

You can restore the default system context to this file by executing the
restorecon command. restorecon '/etc/wpa_supplicant/wpa_supplicant.conf', if
this file is a directory, you can recursively restore using restorecon -R

Fix Command:

restorecon '/etc/wpa_supplicant/wpa_supplicant.conf'

Additional Information:

Source Context                unconfined_u:system_r:NetworkManager_t:s0
Target Context                system_u:object_r:dosfs_t:s0
Target Objects                /etc/wpa_supplicant/wpa_supplicant.conf [ file ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           wpa_supplicant-0.6.4-2.fc10
Target RPM Packages           wpa_supplicant-0.6.4-2.fc10
Policy RPM                    selinux-policy-3.5.13-34.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   restorecon
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              #1 SMP Mon Dec 1 22:42:50 EST 2008 i686 i686
Alert Count                   2
First Seen                    Fri Dec 19 11:16:00 2008
Last Seen                     Fri Dec 19 11:20:44 2008
Local ID                      560183af-f100-4cd8-a378-30355ae09a4d
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1229714444.467:42): avc:  denied  { getattr } for  pid=4595 comm="wpa_supplicant" path="/etc/wpa_supplicant/wpa_supplicant.conf" dev=sda1 ino=519337 scontext=unconfined_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1229714444.467:42): arch=40000003 syscall=197 success=yes exit=0 a0=4 a1=bfdde688 a2=d75ff4 a3=824bb68 items=0 ppid=4594 pid=4595 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=unconfined_u:system_r:NetworkManager_t:s0 key=(null)
Comment 1 Daniel Walsh 2008-12-22 10:36:56 EST
You must have moved this file off of a USB stick?  It has a label of dosfs_t on it which is incorrect.  This is a mislabeled file.

restorecon -R -v /etc  

Will fix the problem.

Note You need to log in before you can comment on or make changes to this bug.