When wpa_supplicant is runnign, attempts to use wpa_cli fail (whether as root, or as aregular user): --------------------------------------------------- % wpa_cli scan Selected interface 'ra0' 'SCAN' command timed out. % sealert -l 8bfd6100-a375-4eec-9f50-1c85d0b9233f [...] SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_18934-0). [...] Source Context system_u:system_r:NetworkManager_t Target Context user_u:object_r:tmp_t Target Objects wpa_ctrl_18934-0 [ sock_file ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hp.nogin.org Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-279.el5_5.2 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name hostname Platform Linux hostname 2.6.18-194.32.1.el5 #1 SMP Wed Jan 5 17:53:09 EST 2011 i686 i686 Alert Count 1 First Seen Sat Apr 2 21:39:21 2011 Last Seen Sat Apr 2 21:39:21 2011 Local ID 8bfd6100-a375-4eec-9f50-1c85d0b9233f Line Numbers Raw Audit Messages host=hostname type=AVC msg=audit(1301805561.772:370): avc: denied { write } for pid=2534 comm="wpa_supplicant" name="wpa_ctrl_18934-0" dev=dm-2 ino=119 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file host=hostname type=SYSCALL msg=audit(1301805561.772:370): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bf816830 a2=9efa4f0 a3=bf81686b items=0 ppid=1 pid=2534 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null) ------------------------------------------------------ This is caused by wpa_cli creating a temporary socket file in /tmp to communicate with wpa_supplicant. This bug was reported against Fedora 9 in bug 424611 - apparently it was fixed in selinux-policy-3.3.1-115.fc9
Could you test it with the latest RHEL5 policy? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Summary: SELinux is preventing the wpa_supplicant from using potentially mislabeled files (wpa_ctrl_7782-0). Detailed Description: SELinux has denied wpa_supplicant access to potentially mislabeled file(s) (wpa_ctrl_7782-0). This means that SELinux will not allow wpa_supplicant to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want wpa_supplicant to access this files, you need to relabel them using restorecon -v 'wpa_ctrl_7782-0'. You might want to relabel the entire directory using restorecon -R -v '<Неизвестно>'. Additional Information: Source Context user_u:system_r:NetworkManager_t Target Context user_u:object_r:tmp_t Target Objects wpa_ctrl_7782-0 [ sock_file ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hostname Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-300.el5_6.1 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name hostname Platform Linux hostname 2.6.18-238.9.1.el5 #1 SMP Tue Apr 12 18:10:56 EDT 2011 i686 i686 Alert Count 1 First Seen Wed May 4 09:50:24 2011 Last Seen Wed May 4 09:50:24 2011 Local ID 7c617a99-fccf-4dc4-819f-795c9f449553 Line Numbers Raw Audit Messages host=hostname type=AVC msg=audit(1304527824.146:46314): avc: denied { write } for pid=25821 comm="wpa_supplicant" name="wpa_ctrl_7782-0" dev=dm-2 ino=76 scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:object_r:tmp_t:s0 tclass=sock_file host=hostname type=SYSCALL msg=audit(1304527824.146:46314): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bffa5680 a2=99fa080 a3=bffa56bb items=0 ppid=1 pid=25821 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
This should be fixed in the latest release which is also available on http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Still there with the -316 policy: Source Context user_u:system_r:NetworkManager_t Target Context user_u:system_r:unconfined_t Target Objects /tmp/wpa_ctrl_22848-0 [ unix_dgram_socket ] Source wpa_supplicant Source Path /usr/sbin/wpa_supplicant Port <Unknown> Host hp.nogin.org Source RPM Packages wpa_supplicant-0.5.10-9.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-316.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name hostname Platform Linux hostname 2.6.18-274.el5 #1 SMP Fri Jul 22 04:49:12 EDT 2011 i686 i686 Alert Count 1 First Seen Wed Nov 23 14:04:00 2011 Last Seen Wed Nov 23 14:04:00 2011 Local ID baf7eefc-2aff-4ebb-898a-b18671fe4d13 Line Numbers Raw Audit Messages host=hp.nogin.org type=AVC msg=audit(1322085840.219:581702): avc: denied { sendto } for pid=16173 comm="wpa_supplicant" path="/tmp/wpa_ctrl_22848-0" scontext=user_u:system_r:NetworkManager_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=unix_dgram_socket host=hp.nogin.org type=SYSCALL msg=audit(1322085840.219:581702): arch=40000003 syscall=102 success=no exit=-13 a0=b a1=bfbad0f0 a2=83ca260 a3=bfbad12b items=0 ppid=1 pid=16173 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=229 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=user_u:system_r:NetworkManager_t:s0 key=(null)
How did you start wpa? What does # ps -eZ | grep wpa
(In reply to comment #5) > How did you start wpa? sudo /sbin/service wpa_supplicant restart (I have wpa_supplicant's init rc script enabled in and NetworkManager one disabled as this is on a desktop with a static IP and static connection). > # ps -eZ | grep wpa user_u:system_r:NetworkManager_t 16173 ? 00:00:07 wpa_supplicant Also, just tried on another machine where wpa_supplicant is running under NetworkManager and got the same audit messages trying to execute wpa_cli.
Ok, I will backport a fix from RHEL6.
Fixed in selinux-policy-2.4.6-320.el5
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0158.html