Created attachment 329955 [details] File context for wicd policy Description of problem: Wicd network manager will not work, AVC denials Version-Release number of selected component (if applicable): How reproducible: Open wicd network manager, then try to connect to wlan. Steps to Reproduce: 1.Install wicd according to the directions given at http://wicd.sourceforge.net/download.php 2.Open wicd from the applications menu. 3.Attempt to connect to a secure wlan within wicd. Actual results:Wicd does not ever finish connecting to the wlan, and AVC denials are shown. Expected results:I expected to be able to follow the directions in the setroubleshoot browser, and fix the problem, that did not work. Additional info: I went to the #fedora-selinux chat on freenode, and got help to build a policy module that would allow wicd to work properly while SE Linux was running in enforceing mode. I am including the original AVC denails, the new policy module, and associated files as attachments.
Created attachment 329956 [details] Type enforcement for wicd policy
Created attachment 329957 [details] List of AVC denials thrown by wicd
allow consoletype_t NetworkManager_t:fifo_file write; This is either a leaked file descriptor from wicd or is stdout redirected to it? /usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) Is this executed directly?
/usr/lib/wicd/monitor.py -- gen_context(system_u:object_r:NetworkManager_exec_t, s0) This gets executed by /usr/sbin/wicd (can_exec(NetworkManager_t, NetworkManager_exec_t) Not sure about consoletype_t.
allow consoletype_t NetworkManager_t:fifo_file write; I do not think this is a leaked fd because if it was then we would probably be confronted with other strange denials. Although i am not sure.
Daniel, I'm not sure what you're asking in the first question, but the wicd daemon does redirect stdout and stderr into its logfile. Re the second question, no, monitor.py is not executed directly (by the user, if that's what you mean) - it's only called by the daemon itself. I've put together a branch of the experimental branch (leading to 1.6.0) with support for selinux. It won't actually compile and insert the policy module; instead, it puts the .tc and .fc files in $sharedir/wicd/selinux/ along with a HOWTO for building and inserting the module. I'm obviously :-) not familiar with selinux, so feedback on my implementation is definitely welcome.
Sorry for the oversight - here's the branch if you're interested (and yeah, patches are certainly welcome): https://code.launchpad.net/~rworkman/wicd/selinux
We can make the changes to SELinux policy for you. /usr/lib/wicd/monitor.py seems a little bit of a strange place to put an executable. /usr/lib/python... or /usr/share/wicd/, would be the usual places I would execpect to find python modules. Labeling it bin_t is probably more appropriate. allow consoletype_t NetworkManager_t:fifo_file write; If you are redirecting to log files, this is probably a leaked file descriptor. Make sure that you close all file descriptors on exec. fcntl(fd, F_SETFD, FD_CLOEXEC) The file contexts described above will be in tonights rawhide.
Fixed in selinux-policy-3.5.13-42.fc10
How would I add this to fedora 9? Is selinux-policy-3.5.13-42.fc10 suitable, or will I get a spectacular amount of breakage?
No, Miroslav needs to make the change to F9 also.
I will also add it to F9.
I just installed WICD and am getting this error with NetworkManager and SELinux: SELinux is preventing wpa_supplicant (NetworkManager_t) "getattr" to /var/lib/wicd/configurations/001f90f43bb4 (var_lib_t). SELinux denied access requested by wpa_supplicant. /var/lib/wicd/configurations/001f90f43bb4 may be a mislabeled. /var/lib/wicd/configurations/001f90f43bb4 default SELinux type is NetworkManager_var_lib_t, but its current type is var_lib_t. Changing this file back to the default type, may fix your problem. Is this the same issue, carried over to Fedora 11, or a new one?
Since wicd does not install via RPM the directory was not labeles correctly at install, so it is up to the admin to label the directory . restorecon -R -v /var/lib/wicd should fix.
That produced a laundry list of new AVC denials: Summary: SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2000-1). SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2219-1). SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2287-1). SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2481-1). SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_2511-1). And the mislabeled files errors go on and on.
Could you attach a complete AVC denial that you are seeing ?
You might need to relabel your entire machine. fixfiles restore
hi :) i am using fedora 11. and i am also encountering this bug. i tried both of the commands Daniel wrote: restorecon -R -v /var/lib/wicd fixfiles restore but it didn't do any change. i have made an ugly temporal fix (change in the 'start' function of the init script): [toudi@scrapeyard ~]$ diff /usr/local/src/wicd-1.6.0/init/redhat/wicd /etc/init.d/wicd 20a21,23 > restorecon /var/lib/wicd > chmod 777 /var/lib/wicd > chmod 777 /var/log/wicd/wicd.log now i am also getting avc denial, but at least the wicd is able to connect to the network :D i also tried to apply selinux policy rules but i get the following error: [root@scrapeyard wicd-selinux]# ls mywicd.fc mywicd.if mywicd.te tmp [root@scrapeyard wicd-selinux]# make -f /usr/share/selinux/devel/Makefile Compiling targeted mywicd module /usr/bin/checkmodule: loading policy configuration from tmp/mywicd.tmp /usr/bin/checkmodule: policy configuration loaded /usr/bin/checkmodule: writing binary representation (version 10) to tmp/mywicd.mod Creating targeted mywicd.pp policy package rm tmp/mywicd.mod.fc tmp/mywicd.mod [root@scrapeyard wicd-selinux]# ls mywicd.fc mywicd.if mywicd.pp mywicd.te tmp [root@scrapeyard wicd-selinux]# semodule -i mywicd.pp libsepol.scope_copy_callback: mywicd: Duplicate declaration in module: type/attribute NetworkManager_var_lib_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed! by the way, i have also noticed one more thing (this is not particulary related to this bug but i am rather new here and don't know where to report this) - when i was using network manager, fedora (both 10 and 11) were experiencing random freezes. with wicd the problem was gone :) i hope this'll help anybody. best regards, toudi.
(In reply to comment #18) > hi :) > i am using fedora 11. and i am also encountering this bug. > i tried both of the commands Daniel wrote: > > restorecon -R -v /var/lib/wicd > fixfiles restore > > but it didn't do any change. > > i have made an ugly temporal fix (change in the 'start' function of the init > script): > [toudi@scrapeyard ~]$ diff /usr/local/src/wicd-1.6.0/init/redhat/wicd > /etc/init.d/wicd > 20a21,23 > > restorecon /var/lib/wicd > > chmod 777 /var/lib/wicd > > chmod 777 /var/log/wicd/wicd.log > > now i am also getting avc denial, but at least the wicd is able to connect to > the network :D > What avc messages are you getting? Please attach your /var/log/audit/audit.log file. > i also tried to apply selinux policy rules but i get the following error: > > [root@scrapeyard wicd-selinux]# ls > mywicd.fc mywicd.if mywicd.te tmp > [root@scrapeyard wicd-selinux]# make -f /usr/share/selinux/devel/Makefile > Compiling targeted mywicd module > /usr/bin/checkmodule: loading policy configuration from tmp/mywicd.tmp > /usr/bin/checkmodule: policy configuration loaded > /usr/bin/checkmodule: writing binary representation (version 10) to > tmp/mywicd.mod > Creating targeted mywicd.pp policy package > rm tmp/mywicd.mod.fc tmp/mywicd.mod > [root@scrapeyard wicd-selinux]# ls > mywicd.fc mywicd.if mywicd.pp mywicd.te tmp > [root@scrapeyard wicd-selinux]# semodule -i mywicd.pp > libsepol.scope_copy_callback: mywicd: Duplicate declaration in module: > type/attribute NetworkManager_var_lib_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! > This happens when you specify a new type but this type has been already specified. You can use 'require' statement. For example: require { type NetworkManager_var_lib_t; } > by the way, i have also noticed one more thing (this is not particulary related > to this bug but i am rather new here and don't know where to report this) - > when i was using network manager, fedora (both 10 and 11) were experiencing > random freezes. with wicd the problem was gone :) > > i hope this'll help anybody. > > best regards, toudi.
> > chmod 777 /var/lib/wicd This is a bad idea. Don't do this. Please attach your audit logs or at least the avc messages that you are seeing.
@Daniel: i know it's a bad idea, that's why i called that solution "temporarly ugly fix" :D here's a small update. At first, i copied the audit.log file which i will post in a second. Then i removed my changes from /etc/init.d/wicd (chmods and restorecon). Then i applied Miroslav's solution: [toudi@scrapeyard wicd-selinux]$ diff mywicd.te ../mywicd.te 4c4 < require { type NetworkManager_var_lib_t; } --- > type NetworkManager_var_lib_t; then i runned the command semodule -i mywicd.pp but *loads* of errors occured, every one of them about the same thing : /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/wicd(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/log/wicd(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/wicd/monitor.py (system_u:object_r:NetworkManager_exec_t:s0 and system_u:object_r:bin_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wired-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/manager-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wireless-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/wicd. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/wicd. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/lib/wicd(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /var/log/wicd(/.*)?. /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /usr/lib/wicd/monitor.py (system_u:object_r:NetworkManager_exec_t:s0 and system_u:object_r:bin_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wired-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/manager-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/wicd/wireless-settings.conf. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /usr/sbin/wicd. /etc/selinux/targeted/contexts/files/file_contexts: Multiple same specifications for /etc/rc\.d/init\.d/wicd. /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! now, here's a very important note - i didn't repaired that file at once and i was unable to boot into fedora after reboot (gdm was starting and the mouse cursor was visible but there was no login dialog). Anyway, i rebooted fedora using "repair system" and then i manually deleted duplicates of things related to *wicd* from that file : /etc/selinux/targeted/contexts/files/file_contexts so the entries relating to wicd look like this: [root@scrapeyard wicd-selinux]# grep "wicd" /etc/selinux/targeted/contexts/files/file_contexts /var/lib/wicd(/.*)? system_u:object_r:NetworkManager_var_lib_t:s0 /var/log/wicd(/.*)? system_u:object_r:NetworkManager_log_t:s0 /usr/lib/wicd/monitor.py -- system_u:object_r:NetworkManager_exec_t:s0 /etc/wicd/wired-settings.conf -- system_u:object_r:net_conf_t:s0 /etc/wicd/manager-settings.conf -- system_u:object_r:net_conf_t:s0 /etc/wicd/wireless-settings.conf -- system_u:object_r:net_conf_t:s0 /usr/sbin/wicd -- system_u:object_r:NetworkManager_exec_t:s0 /etc/rc\.d/init\.d/wicd -- system_u:object_r:NetworkManager_initrc_exec_t:s0 after the next reboot i am also getting avc denials (simmilar to this: (sorry for the polish language)), however wicd *IS ABLE* to connect to wpa2 protected network without any problems and / or hanging fedora. here's a sample error: Podsumowanie: SELinux is preventing restorecon (setfiles_t) "read" NetworkManager_t. Szczegółowy opis: SELinux denied access requested by restorecon. It is not expected that this access is required by restorecon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Zezwalanie na dostęp: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Dodatkowe informacje: Kontekst źródłowy system_u:system_r:setfiles_t:s0 Kontekst docelowy system_u:system_r:NetworkManager_t:s0 Obiekty docelowe pipe [ fifo_file ] Źródło restorecon Ścieżka źródłowa /sbin/setfiles Port <Nieznane> Komputer scrapeyard.zwyciestwa Źródłowe pakiety RPM policycoreutils-2.0.62-12.9.fc11 Docelowe pakiety RPM RPM polityki selinux-policy-3.6.12-45.fc11 SELinux jest włączony True Typ polityki targeted MLS jest włączone True Tryb wymuszania Enforcing Nazwa wtyczki catchall Nazwa komputera scrapeyard.zwyciestwa Platforma Linux scrapeyard.zwyciestwa 2.6.29.4-167.fc11.x86_64 #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64 Licznik alarmów 23 Po raz pierwszy śro, 17 cze 2009, 00:28:24 Po raz ostatni śro, 17 cze 2009, 21:47:39 Lokalny identyfikator 1bac3804-51f1-49c6-8204-3a38f19a4143 Liczba wierszy Surowe komunikaty audytu node=scrapeyard.zwyciestwa type=AVC msg=audit(1245268059.374:33): avc: denied { read } for pid=2472 comm="restorecon" path="pipe:[16615]" dev=pipefs ino=16615 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=fifo_file node=scrapeyard.zwyciestwa type=SYSCALL msg=audit(1245268059.374:33): arch=c000003e syscall=59 success=yes exit=0 a0=c33200 a1=c36cd0 a2=c1d380 a3=18 items=0 ppid=2436 pid=2472 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="restorecon" exe="/sbin/setfiles" subj=system_u:system_r:setfiles_t:s0 key=(null)
Created attachment 348335 [details] audit.log file
just one more thing - obviously i compiled the policy module once again after applying Miroslav's patch - i didn't mentioned it in previous post - sorry for that.
hmm it's very strange - i booted the system this morning and there are no avc denials, wicd is connected without any problems.. so i guess the policy module worked ;) thanks everyone :D
The setfiles avc is caused by a leak in an open file descriptor in NetworkManager
This message is a reminder that Fedora 10 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 10. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '10'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 10's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 10 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Closing as current release