kismet - DBUS AVCs
Dominick Grift
domg472 at gmail.com
Sun Jul 5 19:16:12 UTC 2009
On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
> >> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> >>> sudo semodule -i mykismet.po
>
> the module was loaded successfull:
>
> semodule -l|grep myk
> mykismet 0.0.1
>
>
> > By the way you might need to give it even more permissions. The DBUS
> > daemon object manager logs a lot of stuff to /var/log/messages instead
> > of /var/log/audit/audit.log.
> >
> > I could for example imagine kismet wanting to send dbus msgs to
> > network-manager or both dbus chatting to each other.
>
> you are right:
> type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
> { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager
> member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850
> scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023
> tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus :
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
>
> starting kismet in enforcing mode gives me:
> NOTICE: configdir '/root/' does not exist, making it.
> FATAL: Could not make configdir: File exists
>
> Before adding more homemade rules:
> I'm wondering if all other kismet users are turning off SELinux or if I
> have a special setup where the default rules of the kismet 1.2.0 module
> do not work?
> Also because Dan mentioned [1] that he will add dbus rules to solve
> these denies.
> The only thing that is non-standard in my config is the logtemplate
> configuration (see kismet.conf).
>
> [1]
> http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html
Well a few things to consider here:
- not all wifi hardware work with kismet (mine doesnt)
- in rhel it would run unconfined
- fedora is a development platform and many devs run selinux in
permissive mode unfortunatly (they focus on developing and care less
about security)
Obviously there are still bugs in you kismet policy: consider reporting
to bugzilla.redhat.com/selinux-policy
A fix for the above issue would be:
networkmanager_dbus_chat(kismet.te)
You would add that to you mykismet.te file and rebuild/reinstall the
mykismet.pp
However it may be that the above interface call is a bit too coarse
since it allows two way chatting and the above denial only reports that
kismet want to send_msg to network-manager.
So in that case a new interface should be added to networkmanager.if:
networkmanager_send_dbus_msg()
> thanks
> Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090705/75f06405/attachment.sig>
More information about the fedora-selinux-list
mailing list