Hide Forgot
Description of problem: Fails to connect to AP with the following selinux errors in the log: Nov 14 15:50:10 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from read access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l 9da65e4e-6ebb-41b1-8016-d6b985d5c488 .. Nov 14 16:04:00 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from open access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l 19b78781-dcd4-4f35-9997-7abec57d93c7 .. Nov 14 16:09:44 spaceman setroubleshoot: SELinux is preventing /usr/sbin/wpa_supplicant from getattr access on the file /home/dan/.kde/share/apps/networkmanagement/certificates/{5d5d81f2-9c7f-4fd4-90f6-c7ceb6ae49ec}. For complete SELinux messages. run sealert -l ff41f4a1-a84c-4963-b169-dbc33b1443ee Version-Release number of selected component (if applicable): Name : NetworkManager Arch : x86_64 Epoch : 1 Version : 0.8.5.92 Release : 1.git20110927.fc14 Name : selinux-policy-targeted Arch : noarch Version : 3.9.7 Release : 46.fc14 How reproducible: Always Steps to Reproduce: 1. Open NetworkManager 2. Create Wireness WPA Enterprise PEAP connect 3. Add custom certificate Actual results: Disconnection and disassociation Expected results: Connection made. Additional info: SELinux Network manager module of the form: module nm 1.0; require { type NetworkManager_t; type home_cert_t; type cert_t; class file { read getattr open }; } allow NetworkManager_t cert_t:file { read getattr open }; allow NetworkManager_t home_cert_t:file { read getattr open }; With the following added to /etc/selinux/targeted/contexts/files/file_contexts.homedirs and /etc/selinux/targeted/contexts/files/file_contexts /home/[^/]*/\.kde/share/apps/networkmanagement/certificates(/.*)? unconfined_u:object_r:home_cert_t:s0 policy/modules/system/userdomain.fc HOME_DIR/[^/]*/\.kde/share/apps/networkmanagement/certificates(/.*)? gen_context(system_u:object_r:home_cert_t,s0) Allowing cert_t should allow the user to specify an already installed cert.
Is this a default location? # chcon -R -t home_cert_t /home/dan/.kde/share/apps/networkmanagement/certificates should fix the issue. The module should not be needed. # sesearch -A -s NetworkManager_t -t home_cert_t -c file -p read Found 1 semantic av rules: allow NetworkManager_t home_cert_t : file { ioctl read getattr lock open }
> Is this a default location? yes When it has been imported from kcm_networkmanagement it was copied from where the certificate was (Desktop) to this default location.
Fixed in Rawhide with 14c739f003d9bb11e9b31e2826fb930d5a7d775a Should be back ported to F15, F16, RHEL6. Too late for F14. Since it can be worked around.
It was fixed in selinux-policy-3.10.0-57.fc16
thanks. Was going to move on from F14 very soon.
selinux-policy-3.9.16-50.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-50.fc15
Package selinux-policy-3.9.16-50.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-50.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-17089/selinux-policy-3.9.16-50.fc15 then log in and leave karma (feedback).
selinux-policy-3.9.16-50.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.