Bug 481511 - SE Linux Blocks Wicd Network Manager.
SE Linux Blocks Wicd Network Manager.
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-25 15:53 EST by Michael J. Tinsley
Modified: 2009-11-18 08:00 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:00:19 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File context for wicd policy (649 bytes, application/octet-stream)
2009-01-25 15:53 EST, Michael J. Tinsley
no flags Details
Type enforcement for wicd policy (366 bytes, application/octet-stream)
2009-01-25 15:54 EST, Michael J. Tinsley
no flags Details
List of AVC denials thrown by wicd (49.16 KB, application/octet-stream)
2009-01-25 15:59 EST, Michael J. Tinsley
no flags Details
audit.log file (232.50 KB, application/octet-stream)
2009-06-17 16:01 EDT, Mateusz Mikolajczyk
no flags Details

  None (edit)
Description Michael J. Tinsley 2009-01-25 15:53:08 EST
Created attachment 329955 [details]
File context for wicd policy

Description of problem: Wicd network manager will not work, AVC denials  


Version-Release number of selected component (if applicable):


How reproducible: Open wicd network manager, then try to connect to wlan.


Steps to Reproduce:
1.Install wicd according to the directions given at http://wicd.sourceforge.net/download.php
2.Open wicd from the applications menu.
3.Attempt to connect to a secure wlan within wicd.
  
Actual results:Wicd does not ever finish connecting to the wlan, and AVC denials are shown.


Expected results:I expected to be able to follow the directions in the setroubleshoot browser, and fix the problem, that did not work.      


Additional info: I went to the #fedora-selinux chat on freenode, and got help to build a policy module that would allow wicd to work properly while SE Linux was running in enforceing mode. I am including the original AVC denails, the new policy module, and associated files as attachments.
Comment 1 Michael J. Tinsley 2009-01-25 15:54:36 EST
Created attachment 329956 [details]
Type enforcement for wicd policy
Comment 2 Michael J. Tinsley 2009-01-25 15:59:58 EST
Created attachment 329957 [details]
List of AVC denials thrown by wicd
Comment 3 Daniel Walsh 2009-01-26 13:40:42 EST
allow consoletype_t NetworkManager_t:fifo_file write;

This is either a leaked file descriptor from wicd or is stdout redirected to it?

/usr/lib/wicd/monitor.py 	-- 	gen_context(system_u:object_r:NetworkManager_exec_t, s0)

Is this executed directly?
Comment 4 Dominick Grift 2009-01-26 17:57:27 EST
/usr/lib/wicd/monitor.py  -- 
gen_context(system_u:object_r:NetworkManager_exec_t, s0)

This gets executed by /usr/sbin/wicd
(can_exec(NetworkManager_t, NetworkManager_exec_t)


Not sure about consoletype_t.
Comment 5 Dominick Grift 2009-01-26 18:27:36 EST
allow consoletype_t NetworkManager_t:fifo_file write;

I do not think this is a leaked fd because if it was then we would probably be confronted with other strange denials. Although i am not sure.
Comment 6 Robby Workman 2009-01-26 20:38:03 EST
Daniel,

I'm not sure what you're asking in the first question, but the wicd daemon does redirect stdout and stderr into its logfile.
Re the second question, no, monitor.py is not executed directly (by the user, if that's what you mean) - it's only called by the daemon itself.

I've put together a branch of the experimental branch (leading to 1.6.0) with support for selinux.  It won't actually compile and insert the policy module; instead, it puts the .tc and .fc files in $sharedir/wicd/selinux/ along with a HOWTO for building and inserting the module.

I'm obviously :-) not familiar with selinux, so feedback on my implementation is definitely welcome.
Comment 7 Robby Workman 2009-01-26 20:40:39 EST
Sorry for the oversight - here's the branch if you're interested (and yeah, patches are certainly welcome):
https://code.launchpad.net/~rworkman/wicd/selinux
Comment 8 Daniel Walsh 2009-01-27 10:29:38 EST
We can make the changes to SELinux policy for you.  /usr/lib/wicd/monitor.py  seems a little bit of a strange place to put an executable.  /usr/lib/python...
or /usr/share/wicd/, would be the usual places I would execpect to find python modules.  Labeling it bin_t is probably more appropriate.

allow consoletype_t NetworkManager_t:fifo_file write;

If you are redirecting to log files, this is probably a leaked file descriptor.  Make sure that you close all file descriptors on exec.

fcntl(fd, F_SETFD, FD_CLOEXEC)

The file contexts described above will be in tonights rawhide.
Comment 9 Miroslav Grepl 2009-02-03 13:58:39 EST
Fixed in selinux-policy-3.5.13-42.fc10
Comment 10 Penelope Fudd 2009-02-07 19:13:52 EST
How would I add this to fedora 9?  Is selinux-policy-3.5.13-42.fc10 suitable, or will I get a spectacular amount of breakage?
Comment 11 Daniel Walsh 2009-02-09 09:56:03 EST
No,  Miroslav needs to make the change to F9 also.
Comment 12 Miroslav Grepl 2009-02-09 09:59:12 EST
I will also add it to F9.
Comment 13 Andy Pastuszak 2009-06-13 10:12:53 EDT
I just installed WICD and am getting this error with NetworkManager and SELinux:

SELinux is preventing wpa_supplicant (NetworkManager_t) "getattr" to /var/lib/wicd/configurations/001f90f43bb4 (var_lib_t). 

SELinux denied access requested by wpa_supplicant. /var/lib/wicd/configurations/001f90f43bb4 may be a mislabeled. /var/lib/wicd/configurations/001f90f43bb4 default SELinux type is NetworkManager_var_lib_t, but its current type is var_lib_t. Changing this file back to the default type, may fix your problem. 


Is this the same issue, carried over to Fedora 11, or a new one?
Comment 14 Daniel Walsh 2009-06-15 14:15:53 EDT
Since wicd does not install via RPM the directory was not labeles correctly at install, so it is up to the admin to label the directory .

restorecon -R -v /var/lib/wicd 
should fix.
Comment 15 Andy Pastuszak 2009-06-16 00:11:38 EDT
That produced a laundry list of new AVC denials:


Summary:

SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2000-1). 

SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2219-1).

SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2287-1).

SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2481-1). 

SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2511-1). 

And the mislabeled files errors go on and on.
Comment 16 Miroslav Grepl 2009-06-16 07:08:46 EDT
Could you attach a complete AVC denial that you are seeing ?
Comment 17 Daniel Walsh 2009-06-16 09:21:54 EDT
You might need to relabel your entire machine.

fixfiles restore
Comment 18 Mateusz Mikolajczyk 2009-06-16 18:39:29 EDT
hi :)
i am using fedora 11. and i am also encountering this bug. 
i tried both of the commands Daniel wrote:

restorecon -R -v /var/lib/wicd 
fixfiles restore

but it didn't do any change.

i have made an ugly temporal fix (change in the 'start' function of the init script):
[toudi@scrapeyard ~]$ diff /usr/local/src/wicd-1.6.0/init/redhat/wicd /etc/init.d/wicd 
20a21,23
>                 restorecon /var/lib/wicd
>                 chmod 777 /var/lib/wicd
>                 chmod 777 /var/log/wicd/wicd.log

now i am also getting avc denial, but at least the wicd is able to connect to the network :D

i also tried to apply selinux policy rules but i get the following error:

[root@scrapeyard wicd-selinux]# ls
mywicd.fc  mywicd.if  mywicd.te  tmp
[root@scrapeyard wicd-selinux]# make -f /usr/share/selinux/devel/Makefile 
Compiling targeted mywicd module
/usr/bin/checkmodule:  loading policy configuration from tmp/mywicd.tmp
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to tmp/mywicd.mod
Creating targeted mywicd.pp policy package
rm tmp/mywicd.mod.fc tmp/mywicd.mod
[root@scrapeyard wicd-selinux]# ls
mywicd.fc  mywicd.if  mywicd.pp  mywicd.te  tmp
[root@scrapeyard wicd-selinux]# semodule -i mywicd.pp 
libsepol.scope_copy_callback: mywicd: Duplicate declaration in module: type/attribute NetworkManager_var_lib_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule:  Failed!

by the way, i have also noticed one more thing (this is not particulary related to this bug but i am rather new here and don't know where to report this) - when i was using network manager, fedora (both 10 and 11) were experiencing random freezes. with wicd the problem was gone :)

i hope this'll help anybody.

best regards, toudi.
Comment 19 Miroslav Grepl 2009-06-17 07:13:04 EDT
(In reply to comment #18)
> hi :)
> i am using fedora 11. and i am also encountering this bug. 
> i tried both of the commands Daniel wrote:
> 
> restorecon -R -v /var/lib/wicd 
> fixfiles restore
> 
> but it didn't do any change.
> 
> i have made an ugly temporal fix (change in the 'start' function of the init
> script):
> [toudi@scrapeyard ~]$ diff /usr/local/src/wicd-1.6.0/init/redhat/wicd
> /etc/init.d/wicd 
> 20a21,23
> >                 restorecon /var/lib/wicd
> >                 chmod 777 /var/lib/wicd
> >                 chmod 777 /var/log/wicd/wicd.log
> 
> now i am also getting avc denial, but at least the wicd is able to connect to
> the network :D
> 

What avc messages are you getting? Please attach your /var/log/audit/audit.log file.

> i also tried to apply selinux policy rules but i get the following error:
> 
> [root@scrapeyard wicd-selinux]# ls
> mywicd.fc  mywicd.if  mywicd.te  tmp
> [root@scrapeyard wicd-selinux]# make -f /usr/share/selinux/devel/Makefile 
> Compiling targeted mywicd module
> /usr/bin/checkmodule:  loading policy configuration from tmp/mywicd.tmp
> /usr/bin/checkmodule:  policy configuration loaded
> /usr/bin/checkmodule:  writing binary representation (version 10) to
> tmp/mywicd.mod
> Creating targeted mywicd.pp policy package
> rm tmp/mywicd.mod.fc tmp/mywicd.mod
> [root@scrapeyard wicd-selinux]# ls
> mywicd.fc  mywicd.if  mywicd.pp  mywicd.te  tmp
> [root@scrapeyard wicd-selinux]# semodule -i mywicd.pp 
> libsepol.scope_copy_callback: mywicd: Duplicate declaration in module:
> type/attribute NetworkManager_var_lib_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  Failed!
> 

This happens when you specify a new type but this type has been already specified. You can use 'require' statement. For example:

require {
	type NetworkManager_var_lib_t;
}

> by the way, i have also noticed one more thing (this is not particulary related
> to this bug but i am rather new here and don't know where to report this) -
> when i was using network manager, fedora (both 10 and 11) were experiencing
> random freezes. with wicd the problem was gone :)
> 
> i hope this'll help anybody.
> 
> best regards, toudi.
Comment 20 Daniel Walsh 2009-06-17 10:07:15 EDT
> >                 chmod 777 /var/lib/wicd
This is a bad idea.
Don't do this.

Please attach your audit logs or at least the avc messages that you are seeing.
Comment 21 Mateusz Mikolajczyk 2009-06-17 16:00:24 EDT
@Daniel:

i know it's a bad idea, that's why i called that solution "temporarly ugly fix" :D

here's a small update. At first, i copied the audit.log file which i will post in a second. Then i removed my changes from /etc/init.d/wicd (chmods and restorecon). Then i applied Miroslav's solution:

[toudi@scrapeyard wicd-selinux]$ diff mywicd.te ../mywicd.te 
4c4
< require { type NetworkManager_var_lib_t; }
---
> type NetworkManager_var_lib_t;

then i runned the command semodule -i mywicd.pp but *loads* of errors occured, every one of them about the same thing : 

/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/wicd(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/log/wicd(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/wicd/monitor.py  (system_u:object_r:NetworkManager_exec_t:s0 and system_u:object_r:bin_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wired-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/manager-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wireless-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/wicd.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/wicd.
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/wicd(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/log/wicd(/.*)?.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/wicd/monitor.py  (system_u:object_r:NetworkManager_exec_t:s0 and system_u:object_r:bin_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wired-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/manager-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wireless-settings.conf.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/wicd.
/etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/wicd.
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!

now, here's a very important note - i didn't repaired that file at once and i was unable to boot into fedora after reboot (gdm was starting and the mouse cursor was visible but there was no login dialog). Anyway, i rebooted fedora using "repair system" and then i manually deleted duplicates of things related to *wicd* from that file : /etc/selinux/targeted/contexts/files/file_contexts so the entries relating to wicd look like this:

[root@scrapeyard wicd-selinux]# grep "wicd" /etc/selinux/targeted/contexts/files/file_contexts
/var/lib/wicd(/.*)?	system_u:object_r:NetworkManager_var_lib_t:s0
/var/log/wicd(/.*)?	system_u:object_r:NetworkManager_log_t:s0
/usr/lib/wicd/monitor.py	--	system_u:object_r:NetworkManager_exec_t:s0
/etc/wicd/wired-settings.conf	--	system_u:object_r:net_conf_t:s0
/etc/wicd/manager-settings.conf	--	system_u:object_r:net_conf_t:s0
/etc/wicd/wireless-settings.conf	--	system_u:object_r:net_conf_t:s0
/usr/sbin/wicd	--	system_u:object_r:NetworkManager_exec_t:s0
/etc/rc\.d/init\.d/wicd	--	system_u:object_r:NetworkManager_initrc_exec_t:s0

after the next reboot i am also getting avc denials (simmilar to this: (sorry for the polish language)), however wicd *IS ABLE* to connect to wpa2 protected network without any problems and / or hanging fedora.

here's a sample error:

Podsumowanie:

SELinux is preventing restorecon (setfiles_t) "read" NetworkManager_t.

Szczegółowy opis:

SELinux denied access requested by restorecon. It is not expected that this
access is required by restorecon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Zezwalanie na dostęp:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Dodatkowe informacje:

Kontekst źródłowy          system_u:system_r:setfiles_t:s0
Kontekst docelowy             system_u:system_r:NetworkManager_t:s0
Obiekty docelowe              pipe [ fifo_file ]
Źródło                     restorecon
Ścieżka źródłowa         /sbin/setfiles
Port                          <Nieznane>
Komputer                      scrapeyard.zwyciestwa
Źródłowe pakiety RPM       policycoreutils-2.0.62-12.9.fc11
Docelowe pakiety RPM          
RPM polityki                  selinux-policy-3.6.12-45.fc11
SELinux jest włączony       True
Typ polityki                  targeted
MLS jest włączone           True
Tryb wymuszania               Enforcing
Nazwa wtyczki                 catchall
Nazwa komputera               scrapeyard.zwyciestwa
Platforma                     Linux scrapeyard.zwyciestwa
                              2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27
                              17:27:08 EDT 2009 x86_64 x86_64
Licznik alarmów              23
Po raz pierwszy               śro, 17 cze 2009, 00:28:24
Po raz ostatni                śro, 17 cze 2009, 21:47:39
Lokalny identyfikator         1bac3804-51f1-49c6-8204-3a38f19a4143
Liczba wierszy                

Surowe komunikaty audytu      

node=scrapeyard.zwyciestwa type=AVC msg=audit(1245268059.374:33): avc:  denied  { read } for  pid=2472 comm="restorecon" path="pipe:[16615]" dev=pipefs ino=16615 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=fifo_file

node=scrapeyard.zwyciestwa type=SYSCALL msg=audit(1245268059.374:33): arch=c000003e syscall=59 success=yes exit=0 a0=c33200 a1=c36cd0 a2=c1d380 a3=18 items=0 ppid=2436 pid=2472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0 key=(null)
Comment 22 Mateusz Mikolajczyk 2009-06-17 16:01:00 EDT
Created attachment 348335 [details]
audit.log file
Comment 23 Mateusz Mikolajczyk 2009-06-17 16:03:58 EDT
just one more thing - obviously i compiled the policy module once again after applying Miroslav's patch - i didn't mentioned it in previous post - sorry for that.
Comment 24 Mateusz Mikolajczyk 2009-06-18 01:38:05 EDT
hmm it's very strange - i booted the system this morning and there are no avc denials, wicd is connected without any problems.. so i guess the policy module worked ;) thanks everyone :D
Comment 25 Daniel Walsh 2009-06-18 12:40:14 EDT
The setfiles avc is caused by a leak in an open file descriptor in NetworkManager
Comment 26 Bug Zapper 2009-11-18 05:52:09 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 27 Daniel Walsh 2009-11-18 08:00:19 EST
Closing as current release

Note You need to log in before you can comment on or make changes to this bug.