Why would wpa_supplicant be loading kernel modules directly?

Issue still present for selinux-policy-3.9.16-5.fc15.

Yes this is not something we want to allow.  Allowing this would allow wpa_supplicant and any app running as NetworkManager_t to modify the running kernel from any directory that it could both read and write from.


Either this is a kernel issue and the kernel is accidently thinking the NetworkManager needs sysmodule.  It is my understanding that the kernel understands that NetworkManager needs to load modules to deal with the network, but this module might be something else.

Is there any chance you can reproduce this problem with selinux permissive and then provide the output of dmesg?

Created attachment 486787 [details]
output from dmesg after boot and login

I'm had to disable selinux enforcement anyway in order to boot due to problems with /dev/log. Here's dmesg output after a boot with selinux in permissive mode. The info from setroubleshoot is below:

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          corrin.poochiereds.net
Source RPM Packages           wpa_supplicant-0.7.3-4.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     corrin.poochiereds.net
Platform                      Linux corrin.poochiereds.net 2.6.38-1.fc15.x86_64
                              #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   2
First Seen                    Tue 22 Mar 2011 08:26:28 AM EDT
Last Seen                     Tue 22 Mar 2011 09:06:00 AM EDT
Local ID                      5cd9ac66-6892-42f7-9280-64d0b5870c8f

Raw Audit Messages
type=AVC msg=audit(1300799160.534:29): avc:  denied  { sys_module } for  pid=1153 comm="wpa_supplicant" capability=16  scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1300799160.534:29): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=7 a1=8933 a2=7fff755985c0 a3=a items=0 ppid=1 pid=1153 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)

*** Bug 690413 has been marked as a duplicate of this bug. ***

*** Bug 688380 has been marked as a duplicate of this bug. ***

*** Bug 688917 has been marked as a duplicate of this bug. ***

Just a note: I get this when connecting a 3G modem to the laptop.  This happens just once, and the 3G modem works after that; but after a suspend/resume cycle, the 3G modem doesn't get detected by NM.  No further selinux avcs are generated.  I've set selinux to permissive now and will get you the dmesg logs when I next reboot.  (Reboot needed as this avc doesn't recur and also since NM doesn't detect my 3G modem anymore.  I've tried service NetworkManager stop/start, doesn't help.)

Eric, this would definitely seem to indicate that the kernel patch is causing a problem here.

The fix should be changing aliases from "wifi0" to "netdev-wifi0" or similar.  The same for all net devices.

In reply to comment 11: why is this necessary? What does it matter what network devices are named?

Another note on the kernel: I'm running 2.6.38.1-6.fc15.x86_64 on a F14 userspace.

I get this message every time I resume from suspend.  I am also using the 2.6.38 kernel on F14.

Gene

(In reply to comment #12)
> In reply to comment 11: why is this necessary? What does it matter what network
> devices are named?

See http://git.kernel.org/linus/8909c9ad8ff03611c9c96c9a92656213e4bb495b for the reason.

Nothing much of interest in dmesg (it could be the ppp modules causing the avc):

[30626.467541] USB Serial support registered for GSM modem (1-port)
[30626.467903] option 2-1:1.0: GSM modem (1-port) converter detected
[30626.468754] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB0
[30626.468776] option 2-1:1.1: GSM modem (1-port) converter detected
[30626.468911] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB1
[30626.468930] option 2-1:1.2: GSM modem (1-port) converter detected
[30626.469081] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB2
[30626.469100] option 2-1:1.3: GSM modem (1-port) converter detected
[30626.469256] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB3
[30626.469667] usbcore: registered new interface driver option
[30626.469669] option: v0.7.2:USB Driver for GSM modems
[30627.386869] scsi 4:0:0:0: Direct-Access     HSPA     MMC Storage      2.31 PQ: 0 ANSI: 2
[30627.388865] sd 4:0:0:0: Attached scsi generic sg1 type 0
[30627.397107] sd 4:0:0:0: [sdb] Attached SCSI removable disk
[30672.050139] PPP generic driver version 2.4.2
[30672.307687] PPP Deflate Compression module registered

The top few modules loaded are:

$ lsmod
Module                  Size  Used by
ppp_deflate             3846  0 
zlib_deflate           18491  1 ppp_deflate
ppp_async               6756  1 
crc_ccitt               1597  1 ppp_async
ppp_generic            22095  2 ppp_deflate,ppp_async
slhc                    4776  1 ppp_generic
option                 16413  2 
usb_wwan               10768  1 option
usbserial              33200  6 option,usb_wwan
usb_storage            45615  0 


After a while, the connection dropped; this could be due to other reasons (like range going off):

[30849.011251] option: option_instat_callback: error -108
[30849.011421] option1 ttyUSB0: GSM modem (1-port) converter now disconnected from ttyUSB0
[30849.011452] option 2-1:1.3: device disconnected
[30849.113064] usb 2-1: reset high speed USB device using ehci_hcd and address 2
[30849.115447] modem-manager[1193]: segfault at 44 ip 000000000042b35a sp 00007fff180067d0 error 4 in modem-manager[400000+47000]
[30849.231601] option 2-1:1.3: GSM modem (1-port) converter detected
[30849.231850] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB0
[30849.231879] option 2-1:1.2: GSM modem (1-port) converter detected
[30849.231962] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB1
[30849.231987] option 2-1:1.1: GSM modem (1-port) converter detected
[30849.232090] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB2
[30849.232115] option 2-1:1.0: GSM modem (1-port) converter detected
[30849.232197] usb 2-1: GSM modem (1-port) converter now attached to ttyUSB3

In reply to comment 16:

> After a while, the connection dropped; this could be due to other reasons
> (like range going off)

I don't think so. When I was running Fedora 14 on my laptop, my WiFi connection virtually never dropped. But since I reloaded with Fedora 15 Alpha, it drops fairly often. (It virtually ALWAYS drops between 30-60 seconds after I first bring the interface up.)

I'm suspicious the drops are related to this issue, which is why I haven't already filed a separate Bugzilla for it.

Wireless networking drops, if it every worked is certainly unrelated.  This issue is only related to loading the module needed to make the hardware work.  Since you hardware works for some of the time it modules is obviously loaded.  Any problems you run into after the module is loaded is the fault of the module itself.  Please open another BZ if you are having problems other than getting modules loaded to start with.

Just a "me too" but with:
wpa_supplicant-0.6.8-10.fc14
selinux-policy-3.9.7-37.fc14
kernel-2.6.35.12-88.fc14.x86_64

Just a note that dropping back to kernel-2.6.35.11-87.fc14.x86_64 seems to resolve the issue.

AVC logs this message every suspend/resume on my FC14 netbook.  It seems to have started with the most recent kernel RPM that I installed this morning.

Looks like selinux-policy-3.9.7-39.fc14 has these dontaudited.

Like Mark, I get this during suspend/resume (FC14).  I would agree with the statement about the latest kernel update.

My wireless card is still functional using WPA2 personal encryption.

Same issue here. Everything works fine, but I get those AVCs after every boot & auto-connect to home network. With older kernel, there are no problems.

kernel-2.6.35.12-88.fc14.x86_64
selinux-policy-3.9.7-37.fc14
wpa_supplicant-0.6.8-10.fc14.x86_64

*** Bug 695962 has been marked as a duplicate of this bug. ***

I have the same issues except, but with wpa_supplicant-0.6.8-10.fc14.  Here's my bug report below.  Since I'm running F14 and 32bit, I wasn't sure if I should piggyback the bug report here or create a new one.  In any case, the bug report is below.  Thanks a ton for all your work on the Fedora system.

----------------------------------

SELinux is preventing /usr/sbin/wpa_supplicant from using the 'sys_module' capabilities.

*****  Plugin sys_module (99.5 confidence) suggests  *************************

If you do not believe that /usr/sbin/wpa_supplicant should be attempting to modify the kernel by loading a kernel module.
Then a process might be attempting to hack into your system.
Do
contact your security administrator and report this issue.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that wpa_supplicant should have the sys_module capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wpa_supplicant /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           wpa_supplicant-0.6.8-10.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.35.12-88.fc14.i686.PAE #1 SMP Thu Mar 31
                              21:54:35 UTC 2011 i686 i686
Alert Count                   22
First Seen                    Tue 12 Apr 2011 07:25:46 PM CEST
Last Seen                     Sun 17 Apr 2011 12:51:18 PM CEST
Local ID                      807a4929-2479-4c17-9086-85f7d9025c9f

Raw Audit Messages
type=AVC msg=audit(1303037478.683:250): avc:  denied  { sys_module } for  pid=1473 comm="wpa_supplicant" capability=16  scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1303037478.683:250): arch=i386 syscall=ioctl success=no exit=ENODEV a0=8 a1=8933 a2=bfd8cabc a3=8 items=0 ppid=1 pid=1473 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)

Hash: wpa_supplicant,NetworkManager_t,NetworkManager_t,capability,sys_module

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

I get this error always after restoring my computer from suspend mode. I think this behavior is new since I've updated a lot of packages with yum last weekend.

2.6.35.12-88.fc14.x86_64
selinux-policy-3.9.7-37.fc14.noarch
wpa_supplicant-0.6.8-10.fc14.x86_64

Created attachment 492865 [details]
output of dmesg after restoring from suspend mode

Created attachment 492871 [details]
excerpt of yum.log

I get the same error each time I start my wireless adapter. My system is a fresh Fedorra 14 configuration (64Bit) and the error comes up since I have updated the system a few minutes ago.

Details:

Summary:

Your system may be seriously compromised! /usr/sbin/wpa_supplicant tried to load
a kernel module.

Detailed Description:
...

Additional Information:

Target Objects                None [ capability ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Source RPM Packages           wpa_supplicant-0.6.8-10.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   sys_module
First Seen                    Mon 18 Apr 2011 09:44:03 PM CEST
Last Seen                     Mon 18 Apr 2011 09:46:28 PM CEST

(In reply to comment #29)
> I get the same error each time I start my wireless adapter. My system is a
> fresh Fedorra 14 configuration (64Bit) and the error comes up since I have
> updated the system a few minutes ago.

http://koji.fedoraproject.org/koji/buildinfo?buildID=238573

Try this Fedora14 release from koji for now.

This problem is also triggered if you just disable and then re-enable wireless.

This occurs when I enable the wireless device with the switch on the laptop.

Here is the AVC log.


SELinux is preventing /usr/sbin/wpa_supplicant from using the 'sys_module' capabilities.

*****  Plugin sys_module (99.5 confidence) suggests  *************************

If you do not believe that /usr/sbin/wpa_supplicant should be attempting to modify the kernel by loading a kernel module.
Then a process might be attempting to hack into your system.
Do
contact your security administrator and report this issue.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that wpa_supplicant should have the sys_module capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep wpa_supplicant /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Context                system_u:system_r:NetworkManager_t:s0-s0:c0.c1023
Target Objects                Unknown [ capability ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           wpa_supplicant-0.6.8-10.fc14
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.7-37.fc14
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux vulcan 2.6.35.12-88.fc14.x86_64 #1 SMP Thu
                              Mar 31 21:21:57 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Mon 25 Apr 2011 15:11:47 BST
Last Seen                     Mon 25 Apr 2011 15:11:47 BST
Local ID                      5cae53c3-15d6-4dfd-a65a-f9c28bc380aa

Raw Audit Messages
type=AVC msg=audit(1303740707.244:33066): avc:  denied  { sys_module } for  pid=1700 comm="wpa_supplicant" capability=16  scontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 tclass=capability


type=SYSCALL msg=audit(1303740707.244:33066): arch=x86_64 syscall=ioctl success=no exit=ENODEV a0=8 a1=8933 a2=7fff4bd802b0 a3=46e3fbf2abbacd29 items=0 ppid=1 pid=1700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0-s0:c0.c1023 key=(null)

Hash: wpa_supplicant,NetworkManager_t,NetworkManager_t,capability,sys_module

audit2allow

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

audit2allow -R

#============= NetworkManager_t ==============
allow NetworkManager_t self:capability sys_module;

(In reply to comment #30)
> (In reply to comment #29)
> > I get the same error each time I start my wireless adapter. My system is a
> > fresh Fedorra 14 configuration (64Bit) and the error comes up since I have
> > updated the system a few minutes ago.
> 
> http://koji.fedoraproject.org/koji/buildinfo?buildID=238573
> 
> Try this Fedora14 release from koji for now.

I confirm that with this selinux-policy packages, I no longer see the AVC denial.

Thanks, Jan

This issue happens with this kernel on RHEL 6.0:
kernel-2.6.32-71.29.1.el6.x86_64
If you revert back to the following kernel, the issue disappears:
kernel-2.6.32-71.18.2.el6.x86_64

This appears to have been fixed per comment #33.  If it is still occurring, please reopen and list relevant package versions and error output.