693149 – wpa_cli fails to connect to running wpa_supplicant due to selinux

Bug 693149 - wpa_cli fails to connect to running wpa_supplicant due to selinux

Summary: wpa_cli fails to connect to running wpa_supplicant due to selinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	5.6
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-03 04:43 UTC by Aleksey Nogin
Modified:	2012-02-21 05:46 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-2.4.6-320.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-02-21 05:46:46 UTC
Target Upstream Version:
Dependent Products:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0158	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-02-20 14:53:50 UTC

Description Aleksey Nogin 2011-04-03 04:43:49 UTC

When wpa_supplicant is runnign, attempts to use wpa_cli fail (whether as root, or as aregular user):

---------------------------------------------------
% wpa_cli scan
Selected interface 'ra0'
'SCAN' command timed out.
% sealert -l 8bfd6100-a375-4eec-9f50-1c85d0b9233f
[...]
SELinux is preventing the wpa_supplicant from using potentially mislabeled files
(wpa_ctrl_18934-0).
[...]
Source Context                system_u:system_r:NetworkManager_t
Target Context                user_u:object_r:tmp_t
Target Objects                wpa_ctrl_18934-0 [ sock_file ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          hp.nogin.org
Source RPM Packages           wpa_supplicant-0.5.10-9.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-279.el5_5.2
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     hostname
Platform                      Linux hostname 2.6.18-194.32.1.el5 #1 SMP Wed
                              Jan 5 17:53:09 EST 2011 i686 i686
Alert Count                   1
First Seen                    Sat Apr  2 21:39:21 2011
Last Seen                     Sat Apr  2 21:39:21 2011
Local ID                      8bfd6100-a375-4eec-9f50-1c85d0b9233f
Line Numbers

Raw Audit Messages

host=hostname type=AVC msg=audit(1301805561.772:370): avc:  denied  { write } for  pid=2534 comm="wpa_supplicant" name="wpa_ctrl_18934-0" dev=dm-2 ino=119 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file

host=hostname type=SYSCALL msg=audit(1301805561.772:370): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bf816830 a2=9efa4f0 a3=bf81686b items=0 ppid=1 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)

------------------------------------------------------

This is caused by wpa_cli creating a temporary socket file in /tmp to communicate with wpa_supplicant.

This bug was reported against Fedora 9 in bug 424611 - apparently it was fixed in selinux-policy-3.3.1-115.fc9

Comment 1 Miroslav Grepl 2011-04-07 07:19:49 UTC

Could you test it with the latest RHEL5 policy?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 2 Aleksey Nogin 2011-05-04 16:55:29 UTC

Summary:

SELinux is preventing the wpa_supplicant from using potentially mislabeled files
(wpa_ctrl_7782-0).

Detailed Description:

SELinux has denied wpa_supplicant access to potentially mislabeled file(s)
(wpa_ctrl_7782-0). This means that SELinux will not allow wpa_supplicant to use
these files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.

Allowing Access:

If you want wpa_supplicant to access this files, you need to relabel them using
restorecon -v 'wpa_ctrl_7782-0'. You might want to relabel the entire directory
using restorecon -R -v '<Неизвестно>'.

Additional Information:

Source Context                user_u:system_r:NetworkManager_t
Target Context                user_u:object_r:tmp_t
Target Objects                wpa_ctrl_7782-0 [ sock_file ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          hostname
Source RPM Packages           wpa_supplicant-0.5.10-9.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-300.el5_6.1
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   home_tmp_bad_labels
Host Name                     hostname
Platform                      Linux hostname 2.6.18-238.9.1.el5 #1 SMP Tue
                              Apr 12 18:10:56 EDT 2011 i686 i686
Alert Count                   1
First Seen                    Wed May  4 09:50:24 2011
Last Seen                     Wed May  4 09:50:24 2011
Local ID                      7c617a99-fccf-4dc4-819f-795c9f449553
Line Numbers

Raw Audit Messages

host=hostname type=AVC msg=audit(1304527824.146:46314): avc:  denied  { write } for  pid=25821 comm="wpa_supplicant" name="wpa_ctrl_7782-0" dev=dm-2 ino=76 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file

host=hostname type=SYSCALL msg=audit(1304527824.146:46314): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bffa5680 a2=99fa080 a3=bffa56bb items=0 ppid=1 pid=25821 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)

Comment 3 Miroslav Grepl 2011-06-06 12:40:54 UTC

This should be fixed in the latest release which is also available on

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Comment 4 Aleksey Nogin 2011-11-23 22:50:15 UTC

Still there with the -316 policy:

Source Context                user_u:system_r:NetworkManager_t
Target Context                user_u:system_r:unconfined_t
Target Objects                /tmp/wpa_ctrl_22848-0 [ unix_dgram_socket ]
Source                        wpa_supplicant
Source Path                   /usr/sbin/wpa_supplicant
Port                          <Unknown>
Host                          hp.nogin.org
Source RPM Packages           wpa_supplicant-0.5.10-9.el5
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     hostname
Platform                      Linux hostname 2.6.18-274.el5 #1 SMP Fri Jul
                              22 04:49:12 EDT 2011 i686 i686
Alert Count                   1
First Seen                    Wed Nov 23 14:04:00 2011
Last Seen                     Wed Nov 23 14:04:00 2011
Local ID                      baf7eefc-2aff-4ebb-898a-b18671fe4d13
Line Numbers

Raw Audit Messages

host=hp.nogin.org type=AVC msg=audit(1322085840.219:581702): avc:  denied  { sendto } for  pid=16173 comm="wpa_supplicant" path="/tmp/wpa_ctrl_22848-0" scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket

host=hp.nogin.org type=SYSCALL msg=audit(1322085840.219:581702): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bfbad0f0 a2=83ca260 a3=bfbad12b items=0 ppid=1 pid=16173 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=229 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)

Comment 5 Miroslav Grepl 2011-11-24 09:53:57 UTC

How did you start wpa?

What does

# ps -eZ | grep wpa

Comment 6 Aleksey Nogin 2011-11-25 05:38:27 UTC

(In reply to comment #5)
> How did you start wpa?

sudo /sbin/service wpa_supplicant restart

(I have wpa_supplicant's init rc script enabled in and NetworkManager one disabled as this is on a desktop with a static IP and static connection).

> # ps -eZ | grep wpa

user_u:system_r:NetworkManager_t 16173 ?       00:00:07 wpa_supplicant

Also, just tried on another machine where wpa_supplicant is running under NetworkManager and got the same audit messages trying to execute wpa_cli.

Comment 7 Miroslav Grepl 2011-11-28 09:21:30 UTC

Ok, I will backport a fix from RHEL6.

Comment 8 Miroslav Grepl 2011-11-29 16:39:23 UTC

Fixed in selinux-policy-2.4.6-320.el5

Comment 12 errata-xmlrpc 2012-02-21 05:46:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0158.html

Note You need to log in before you can comment on or make changes to this bug.