kismet - DBUS AVCs

Dominick Grift domg472 at gmail.com
Sun Jul 5 19:16:12 UTC 2009 

On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
> >> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> >>> sudo semodule -i mykismet.po
> 
> the module was loaded successfull:
> 
> semodule -l|grep myk
> mykismet	0.0.1
> 
> 
> > By the way you might need to give it even more permissions. The DBUS
> > daemon object manager logs a lot of stuff to /var/log/messages instead
> > of /var/log/audit/audit.log.
> >
> > I could for example imagine kismet wanting to send dbus msgs to
> > network-manager or both dbus chatting to each other.
> 
> you are right:
> type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 
> auid=4294967295 ses=4294967295 
> subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied 
> { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager 
> member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 
> scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 
> tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : 
> exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> 
> starting kismet in enforcing mode gives me:
> NOTICE: configdir '/root/' does not exist, making it.
> FATAL:  Could not make configdir: File exists
> 
> Before adding more homemade rules:
> I'm wondering if all other kismet users are turning off SELinux or if I 
> have a special setup where the default rules of the kismet 1.2.0 module 
> do not work?
> Also because Dan mentioned [1] that he will add dbus rules to solve 
> these denies.
> The only thing that is non-standard in my config is the logtemplate 
> configuration (see kismet.conf).
> 
> [1] 
> http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html

Well a few things to consider here:

- not all wifi hardware work with kismet (mine doesnt)
- in rhel it would run unconfined
- fedora is a development platform and many devs run selinux in
permissive mode unfortunatly (they focus on developing and care less
about security)


Obviously there are still bugs in you kismet policy: consider reporting
to bugzilla.redhat.com/selinux-policy

A fix for the above issue would be:

networkmanager_dbus_chat(kismet.te)

You would add that to you mykismet.te file and rebuild/reinstall the
mykismet.pp

However it may be that the above interface call is a bit too coarse
since it allows two way chatting and the above denial only reports that
kismet want to send_msg to network-manager.

So in that case a new interface should be added to networkmanager.if:

networkmanager_send_dbus_msg()


> thanks
> Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090705/75f06405/attachment.sig>

More information about the fedora-selinux-list mailing list