More changes to NetworkManager for WPA... (yea!)

Daniel J Walsh dwalsh at redhat.com
Tue Jan 31 15:43:31 UTC 2006


Tom London wrote:
> Running today's rawhide, targeted/enforcing.
>
> The new kernel and NM supports WPA. Works in permissive mode.
>
> Seems to want:
> allow NetworkManager_t self:unix_dgram_socket sendto;
> allow NetworkManager_t tmp_t:dir remove_name;
> allow NetworkManager_t tmp_t:sock_file unlink;
> allow NetworkManager_t var_run_t:dir create;
> allow NetworkManager_t var_run_t:sock_file setattr;
>
>   
Yes I am working with the NetworkManager maintainer to fix some problems 
in the design of NetworkManager/wpa
So hopefully we can get this fixed by tomorrow.

Dan
> ----
> type=PATH msg=audit(01/31/2006 07:17:14.277:45) : item=0 flags=parent
> inode=2777160 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(01/31/2006 07:17:14.277:45) : nargs=3 a0=3
> a1=bfd8f0fe a2=6e
> type=SOCKADDR msg=audit(01/31/2006 07:17:14.277:45) : saddr=local
> /var/run/wpa_supplicant-global
> type=SYSCALL msg=audit(01/31/2006 07:17:14.277:45) : arch=i386
> syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bfd8f0e0 a2=3
> a3=8af7020 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
> type=AVC msg=audit(01/31/2006 07:17:14.277:45) : avc:  denied  {
> create } for  pid=3138 comm=wpa_supplicant name=wpa_supplicant-global
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.281:46) : item=0 flags=parent
> inode=980161 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root
> rdev=00:00
> type=SOCKETCALL msg=audit(01/31/2006 07:17:15.281:46) : nargs=3 a0=12
> a1=810f9ac a2=6e
> type=SOCKADDR msg=audit(01/31/2006 07:17:15.281:46) : saddr=local
> /tmp/wpa_ctrl_2606-1
> type=SYSCALL msg=audit(01/31/2006 07:17:15.281:46) : arch=i386
> syscall=socketcall(bind) success=yes exit=0 a0=2 a1=b7579240 a2=1
> a3=810f9a8 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=NetworkManager exe=/usr/sbin/NetworkManager
> type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
> create } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
> add_name } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  { write
> } for  pid=2615 comm=NetworkManager name=tmp dev=dm-0 ino=980161
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
> search } for  pid=2615 comm=NetworkManager name=tmp dev=dm-0
> ino=980161 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.281:47) : item=0 flags=follow
> inode=2778180 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(01/31/2006 07:17:15.281:47) : nargs=3 a0=12
> a1=810fa1a a2=6e
> type=SOCKADDR msg=audit(01/31/2006 07:17:15.281:47) : saddr=local
> /var/run/wpa_supplicant-global
> type=AVC_PATH msg=audit(01/31/2006 07:17:15.281:47) : 
> path=/var/run/wpa_supplicant-global
> type=SYSCALL msg=audit(01/31/2006 07:17:15.281:47) : arch=i386
> syscall=socketcall(connect) success=yes exit=0 a0=3 a1=b7579240 a2=1
> a3=0 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=NetworkManager exe=/usr/sbin/NetworkManager
> type=AVC msg=audit(01/31/2006 07:17:15.281:47) : avc:  denied  {
> sendto } for  pid=2615 comm=NetworkManager name=wpa_supplicant-global
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:system_r:NetworkManager_t:s0
> tclass=unix_dgram_socket
> type=AVC msg=audit(01/31/2006 07:17:15.281:47) : avc:  denied  { write
> } for  pid=2615 comm=NetworkManager name=wpa_supplicant-global
> dev=dm-0 ino=2778180 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.309:48) : item=0
> name=/var/run/wpa_supplicant flags=parent inode=2777160 dev=fd:00
> mode=dir,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(01/31/2006 07:17:15.309:48) :  cwd=/
> type=SYSCALL msg=audit(01/31/2006 07:17:15.309:48) : arch=i386
> syscall=mkdir success=yes exit=0 a0=8af7aa8 a1=1f8 a2=8af7958
> a3=8af7958 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
> type=AVC msg=audit(01/31/2006 07:17:15.309:48) : avc:  denied  {
> create } for  pid=3138 comm=wpa_supplicant name=wpa_supplicant
> scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=dir
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.465:49) : item=0
> name=/var/run/wpa_supplicant/eth1 flags=follow inode=3628151 dev=fd:00
> mode=socket,755 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(01/31/2006 07:17:15.465:49) :  cwd=/
> type=SYSCALL msg=audit(01/31/2006 07:17:15.465:49) : arch=i386
> syscall=chmod success=yes exit=0 a0=8b00e68 a1=1f8 a2=8b00e68
> a3=8af7958 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
> type=AVC msg=audit(01/31/2006 07:17:15.465:49) : avc:  denied  {
> setattr } for pid=3138 comm=wpa_supplicant name=eth1 dev=dm-0
> ino=3628151 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
> ----
> type=AVC msg=audit(01/31/2006 07:17:15.465:50) : avc:  denied  { write
> } for  pid=3138 comm=wpa_supplicant name=wpa_ctrl_2606-1 dev=dm-0
> ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.465:51) : item=0
> name=/tmp/wpa_ctrl_2606-1 flags=parent inode=980161 dev=fd:00
> mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
> type=CWD msg=audit(01/31/2006 07:17:15.465:51) :  cwd=/
> type=SYSCALL msg=audit(01/31/2006 07:17:15.465:51) : arch=i386
> syscall=unlink success=yes exit=0 a0=810f9ae a1=1 a2=810f9a8
> a3=81084b0 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
> euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=NetworkManager exe=/usr/sbin/NetworkManager
> type=AVC msg=audit(01/31/2006 07:17:15.465:51) : avc:  denied  {
> unlink } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
> dev=dm-0 ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
> type=AVC msg=audit(01/31/2006 07:17:15.465:51) : avc:  denied  {
> remove_name } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
> dev=dm-0 ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
> tcontext=system_u:object_r:tmp_t:s0 tclass=dir
> ----
> type=PATH msg=audit(01/31/2006 07:17:15.465:50) : item=0 flags=follow
> inode=980237 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
> type=SOCKETCALL msg=audit(01/31/2006 07:17:15.465:50) : nargs=6 a0=3
> a1=8af7150 a2=3 a3=0 a4=bfd8f0b6 a5=17
> type=SOCKADDR msg=audit(01/31/2006 07:17:15.465:50) : saddr=local
> /tmp/wpa_ctrl_2606-1
> type=SYSCALL msg=audit(01/31/2006 07:17:15.465:50) : arch=i386
> syscall=socketcall(sendto) success=yes exit=3 a0=b a1=bfd8ef80
> a2=bfd8efc4 a3=0 items=1 pid=3138 auid=unknown(4294967295) uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
>
>
> --
> Tom London
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>   




More information about the fedora-selinux-list mailing list