SELinux is preventing /usr/sbin/wpa_supplicant from using the 'sys_module' capabilities. ***** Plugin sys_module (99.5 confidence) suggests ************************* If you do not believe that /usr/sbin/wpa_supplicant should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that wpa_supplicant should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wpa_supplicant /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host (removed) Source RPM Packages wpa_supplicant-0.7.3-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-1.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38-0.rc8.git2.1.fc15.x86_64 #1 SMP Thu Mar 10 17:35:28 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Sat 12 Mar 2011 12:51:39 PM CET Last Seen Sat 12 Mar 2011 12:51:39 PM CET Local ID 446fb31b-c2bc-4031-be89-6a9d9e39d7a5 Raw Audit Messages type=AVC msg=audit(1299930699.492:90): avc: denied { sys_module } for pid=1140 comm="wpa_supplicant" capability=16 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1299930699.492:90): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=7 a1=8933 a2=7fffa5127e80 a3=a items=0 ppid=1 pid=1140 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) Hash: wpa_supplicant,NetworkManager_t,NetworkManager_t,capability,sys_module audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module;
Why would wpa_supplicant be loading kernel modules directly?
Issue still present for selinux-policy-3.9.16-5.fc15.
Yes this is not something we want to allow. Allowing this would allow wpa_supplicant and any app running as NetworkManager_t to modify the running kernel from any directory that it could both read and write from. Either this is a kernel issue and the kernel is accidently thinking the NetworkManager needs sysmodule. It is my understanding that the kernel understands that NetworkManager needs to load modules to deal with the network, but this module might be something else.
Is there any chance you can reproduce this problem with selinux permissive and then provide the output of dmesg?
Created attachment 486787 [details] output from dmesg after boot and login I'm had to disable selinux enforcement anyway in order to boot due to problems with /dev/log. Here's dmesg output after a boot with selinux in permissive mode. The info from setroubleshoot is below: Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host corrin.poochiereds.net Source RPM Packages wpa_supplicant-0.7.3-4.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name corrin.poochiereds.net Platform Linux corrin.poochiereds.net 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 2 First Seen Tue 22 Mar 2011 08:26:28 AM EDT Last Seen Tue 22 Mar 2011 09:06:00 AM EDT Local ID 5cd9ac66-6892-42f7-9280-64d0b5870c8f Raw Audit Messages type=AVC msg=audit(1300799160.534:29): avc: denied { sys_module } for pid=1153 comm="wpa_supplicant" capability=16 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1300799160.534:29): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=7 a1=8933 a2=7fff755985c0 a3=a items=0 ppid=1 pid=1153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)
*** Bug 690413 has been marked as a duplicate of this bug. ***
*** Bug 688380 has been marked as a duplicate of this bug. ***
*** Bug 688917 has been marked as a duplicate of this bug. ***
Just a note: I get this when connecting a 3G modem to the laptop. This happens just once, and the 3G modem works after that; but after a suspend/resume cycle, the 3G modem doesn't get detected by NM. No further selinux avcs are generated. I've set selinux to permissive now and will get you the dmesg logs when I next reboot. (Reboot needed as this avc doesn't recur and also since NM doesn't detect my 3G modem anymore. I've tried service NetworkManager stop/start, doesn't help.)
Eric, this would definitely seem to indicate that the kernel patch is causing a problem here.
The fix should be changing aliases from "wifi0" to "netdev-wifi0" or similar. The same for all net devices.
In reply to comment 11: why is this necessary? What does it matter what network devices are named?
Another note on the kernel: I'm running 2.6.38.1-6.fc15.x86_64 on a F14 userspace.
I get this message every time I resume from suspend. I am also using the 2.6.38 kernel on F14. Gene
(In reply to comment #12) > In reply to comment 11: why is this necessary? What does it matter what network > devices are named? See http://git.kernel.org/linus/8909c9ad8ff03611c9c96c9a92656213e4bb495b for the reason.
Nothing much of interest in dmesg (it could be the ppp modules causing the avc): [30626.467541] USB Serial support registered for GSM modem (1-port) [30626.467903] option 2-1:1.0: GSM modem (1-port) converter detected [30626.468754] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB0 [30626.468776] option 2-1:1.1: GSM modem (1-port) converter detected [30626.468911] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB1 [30626.468930] option 2-1:1.2: GSM modem (1-port) converter detected [30626.469081] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB2 [30626.469100] option 2-1:1.3: GSM modem (1-port) converter detected [30626.469256] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB3 [30626.469667] usbcore: registered new interface driver option [30626.469669] option: v0.7.2:USB Driver for GSM modems [30627.386869] scsi 4:0:0:0: Direct-Access HSPA MMC Storage 2.31 PQ: 0 ANSI: 2 [30627.388865] sd 4:0:0:0: Attached scsi generic sg1 type 0 [30627.397107] sd 4:0:0:0: [sdb] Attached SCSI removable disk [30672.050139] PPP generic driver version 2.4.2 [30672.307687] PPP Deflate Compression module registered The top few modules loaded are: $ lsmod Module Size Used by ppp_deflate 3846 0 zlib_deflate 18491 1 ppp_deflate ppp_async 6756 1 crc_ccitt 1597 1 ppp_async ppp_generic 22095 2 ppp_deflate,ppp_async slhc 4776 1 ppp_generic option 16413 2 usb_wwan 10768 1 option usbserial 33200 6 option,usb_wwan usb_storage 45615 0 After a while, the connection dropped; this could be due to other reasons (like range going off): [30849.011251] option: option_instat_callback: error -108 [30849.011421] option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0 [30849.011452] option 2-1:1.3: device disconnected [30849.113064] usb 2-1: reset high speed USB device using ehci_hcd and address 2 [30849.115447] modem-manager[1193]: segfault at 44 ip 000000000042b35a sp 00007fff180067d0 error 4 in modem-manager[400000+47000] [30849.231601] option 2-1:1.3: GSM modem (1-port) converter detected [30849.231850] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB0 [30849.231879] option 2-1:1.2: GSM modem (1-port) converter detected [30849.231962] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB1 [30849.231987] option 2-1:1.1: GSM modem (1-port) converter detected [30849.232090] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB2 [30849.232115] option 2-1:1.0: GSM modem (1-port) converter detected [30849.232197] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB3
In reply to comment 16: > After a while, the connection dropped; this could be due to other reasons > (like range going off) I don't think so. When I was running Fedora 14 on my laptop, my WiFi connection virtually never dropped. But since I reloaded with Fedora 15 Alpha, it drops fairly often. (It virtually ALWAYS drops between 30-60 seconds after I first bring the interface up.) I'm suspicious the drops are related to this issue, which is why I haven't already filed a separate Bugzilla for it.
Wireless networking drops, if it every worked is certainly unrelated. This issue is only related to loading the module needed to make the hardware work. Since you hardware works for some of the time it modules is obviously loaded. Any problems you run into after the module is loaded is the fault of the module itself. Please open another BZ if you are having problems other than getting modules loaded to start with.
Just a "me too" but with: wpa_supplicant-0.6.8-10.fc14 selinux-policy-3.9.7-37.fc14 kernel-2.6.35.12-88.fc14.x86_64 Just a note that dropping back to kernel-2.6.35.11-87.fc14.x86_64 seems to resolve the issue.
AVC logs this message every suspend/resume on my FC14 netbook. It seems to have started with the most recent kernel RPM that I installed this morning.
Looks like selinux-policy-3.9.7-39.fc14 has these dontaudited.
Like Mark, I get this during suspend/resume (FC14). I would agree with the statement about the latest kernel update. My wireless card is still functional using WPA2 personal encryption.
Same issue here. Everything works fine, but I get those AVCs after every boot & auto-connect to home network. With older kernel, there are no problems. kernel-2.6.35.12-88.fc14.x86_64 selinux-policy-3.9.7-37.fc14 wpa_supplicant-0.6.8-10.fc14.x86_64
*** Bug 695962 has been marked as a duplicate of this bug. ***
I have the same issues except, but with wpa_supplicant-0.6.8-10.fc14. Here's my bug report below. Since I'm running F14 and 32bit, I wasn't sure if I should piggyback the bug report here or create a new one. In any case, the bug report is below. Thanks a ton for all your work on the Fedora system. ---------------------------------- SELinux is preventing /usr/sbin/wpa_supplicant from using the 'sys_module' capabilities. ***** Plugin sys_module (99.5 confidence) suggests ************************* If you do not believe that /usr/sbin/wpa_supplicant should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that wpa_supplicant should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wpa_supplicant /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host (removed) Source RPM Packages wpa_supplicant-0.6.8-10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-37.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.35.12-88.fc14.i686.PAE #1 SMP Thu Mar 31 21:54:35 UTC 2011 i686 i686 Alert Count 22 First Seen Tue 12 Apr 2011 07:25:46 PM CEST Last Seen Sun 17 Apr 2011 12:51:18 PM CEST Local ID 807a4929-2479-4c17-9086-85f7d9025c9f Raw Audit Messages type=AVC msg=audit(1303037478.683:250): avc: denied { sys_module } for pid=1473 comm="wpa_supplicant" capability=16 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1303037478.683:250): arch=i386 syscall=ioctl success=no exit=ENODEV a0=8 a1=8933 a2=bfd8cabc a3=8 items=0 ppid=1 pid=1473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) Hash: wpa_supplicant,NetworkManager_t,NetworkManager_t,capability,sys_module audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module;
I get this error always after restoring my computer from suspend mode. I think this behavior is new since I've updated a lot of packages with yum last weekend. 2.6.35.12-88.fc14.x86_64 selinux-policy-3.9.7-37.fc14.noarch wpa_supplicant-0.6.8-10.fc14.x86_64
Created attachment 492865 [details] output of dmesg after restoring from suspend mode
Created attachment 492871 [details] excerpt of yum.log
I get the same error each time I start my wireless adapter. My system is a fresh Fedorra 14 configuration (64Bit) and the error comes up since I have updated the system a few minutes ago. Details: Summary: Your system may be seriously compromised! /usr/sbin/wpa_supplicant tried to load a kernel module. Detailed Description: ... Additional Information: Target Objects None [ capability ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Source RPM Packages wpa_supplicant-0.6.8-10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-37.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name sys_module First Seen Mon 18 Apr 2011 09:44:03 PM CEST Last Seen Mon 18 Apr 2011 09:46:28 PM CEST
(In reply to comment #29) > I get the same error each time I start my wireless adapter. My system is a > fresh Fedorra 14 configuration (64Bit) and the error comes up since I have > updated the system a few minutes ago. http://koji.fedoraproject.org/koji/buildinfo?buildID=238573 Try this Fedora14 release from koji for now.
This problem is also triggered if you just disable and then re-enable wireless.
This occurs when I enable the wireless device with the switch on the laptop. Here is the AVC log. SELinux is preventing /usr/sbin/wpa_supplicant from using the 'sys_module' capabilities. ***** Plugin sys_module (99.5 confidence) suggests ************************* If you do not believe that /usr/sbin/wpa_supplicant should be attempting to modify the kernel by loading a kernel module. Then a process might be attempting to hack into your system. Do contact your security administrator and report this issue. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that wpa_supplicant should have the sys_module capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep wpa_supplicant /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Context system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 Target Objects Unknown [ capability ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host (removed) Source RPM Packages wpa_supplicant-0.6.8-10.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-37.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux vulcan 2.6.35.12-88.fc14.x86_64 #1 SMP Thu Mar 31 21:21:57 UTC 2011 x86_64 x86_64 Alert Count 1 First Seen Mon 25 Apr 2011 15:11:47 BST Last Seen Mon 25 Apr 2011 15:11:47 BST Local ID 5cae53c3-15d6-4dfd-a65a-f9c28bc380aa Raw Audit Messages type=AVC msg=audit(1303740707.244:33066): avc: denied { sys_module } for pid=1700 comm="wpa_supplicant" capability=16 scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability type=SYSCALL msg=audit(1303740707.244:33066): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=8 a1=8933 a2=7fff4bd802b0 a3=46e3fbf2abbacd29 items=0 ppid=1 pid=1700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null) Hash: wpa_supplicant,NetworkManager_t,NetworkManager_t,capability,sys_module audit2allow #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module; audit2allow -R #============= NetworkManager_t ============== allow NetworkManager_t self:capability sys_module;
(In reply to comment #30) > (In reply to comment #29) > > I get the same error each time I start my wireless adapter. My system is a > > fresh Fedorra 14 configuration (64Bit) and the error comes up since I have > > updated the system a few minutes ago. > > http://koji.fedoraproject.org/koji/buildinfo?buildID=238573 > > Try this Fedora14 release from koji for now. I confirm that with this selinux-policy packages, I no longer see the AVC denial. Thanks, Jan
This issue happens with this kernel on RHEL 6.0: kernel-2.6.32-71.29.1.el6.x86_64 If you revert back to the following kernel, the issue disappears: kernel-2.6.32-71.18.2.el6.x86_64
This appears to have been fixed per comment #33. If it is still occurring, please reopen and list relevant package versions and error output.