Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 466332 - wpa_supplicant can't connect with strict -9999 policies
Summary: wpa_supplicant can't connect with strict -9999 policies
Status: RESOLVED NEEDINFO
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: SE Linux Bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-04-18 08:41 UTC by Amadeusz Sławiński
Modified: 2013-06-22 18:56 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Amadeusz Sławiński 2013-04-18 08:41:15 UTC 
After running /etc/init.d/wpa_supplicant restart I can't use my university network

Enforcing:
Apr 18 10:29:51 localhost kernel: [  611.128735] type=1400 audit(1366273791.343:49): avc:  denied  { create } for  pid=4092 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:29:51 localhost kernel: [  611.159073] type=1400 audit(1366273791.373:50): avc:  denied  { search } for  pid=4101 comm="cgroup-release-" name="/" dev="tmpfs" ino=5307 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:tmpfs_t tclass=dir

Permissive:
Apr 18 10:30:03 localhost kernel: [  623.359388] type=1400 audit(1366273803.598:52): avc:  denied  { read } for  pid=4193 comm="rc" name="softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Apr 18 10:30:03 localhost kernel: [  623.359417] type=1400 audit(1366273803.598:53): avc:  denied  { open } for  pid=4193 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Apr 18 10:30:03 localhost kernel: [  623.359445] type=1400 audit(1366273803.598:54): avc:  denied  { getattr } for  pid=4193 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
Apr 18 10:30:06 localhost kernel: [  626.588277] type=1400 audit(1366273806.833:55): avc:  denied  { create } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:30:06 localhost kernel: [  626.588303] type=1400 audit(1366273806.833:56): avc:  denied  { setopt } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:30:06 localhost kernel: [  626.588320] type=1400 audit(1366273806.833:57): avc:  denied  { bind } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:30:06 localhost kernel: [  626.588332] type=1400 audit(1366273806.833:58): avc:  denied  { getattr } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:30:06 localhost kernel: [  626.588358] type=1400 audit(1366273806.833:59): avc:  denied  { write } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
Apr 18 10:30:06 localhost kernel: [  626.588419] type=1400 audit(1366273806.833:60): avc:  denied  { read } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket



Same stuff but from dmesg (including kernel messages):

[  611.119700] wlan0: deauthenticating from 00:0b:86:4e:cf:e4 by local choice (reason=3)
[  611.124659] cfg80211: Calling CRDA to update world regulatory domain
[  611.128735] type=1400 audit(1366273791.343:49): avc:  denied  { create } for  pid=4092 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  611.159073] type=1400 audit(1366273791.373:50): avc:  denied  { search } for  pid=4101 comm="cgroup-release-" name="/" dev="tmpfs" ino=5307 scontext=system_u:system_r:openrc_cgroup_release_t tcontext=system_u:object_r:tmpfs_t tclass=dir
[  612.312103] wlan0: authenticate with 00:1a:1e:9b:99:44
[  612.324580] wlan0: send auth to 00:1a:1e:9b:99:44 (try 1/3)
[  612.326629] wlan0: authenticated
[  612.326664] ath9k 0000:06:00.0 wlan0: disabling HT as WMM/QoS is not supported by the AP
[  612.326672] ath9k 0000:06:00.0 wlan0: disabling VHT as WMM/QoS is not supported by the AP
[  612.327041] wlan0: associate with 00:1a:1e:9b:99:44 (try 1/3)
[  612.333898] wlan0: RX AssocResp from 00:1a:1e:9b:99:44 (capab=0x421 status=0 aid=1)
[  612.334064] wlan0: associated

Switch to permissive:

[  621.192799] type=1404 audit(1366273801.427:51): enforcing=0 old_enforcing=1 auid=1000 ses=1
[  623.359388] type=1400 audit(1366273803.598:52): avc:  denied  { read } for  pid=4193 comm="rc" name="softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
[  623.359417] type=1400 audit(1366273803.598:53): avc:  denied  { open } for  pid=4193 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
[  623.359445] type=1400 audit(1366273803.598:54): avc:  denied  { getattr } for  pid=4193 comm="rc" path="/run/openrc/softlevel" dev="tmpfs" ino=5259 scontext=staff_u:sysadm_r:run_init_t tcontext=system_u:object_r:initrc_state_t tclass=file
[  626.576788] wlan0: deauthenticating from 00:1a:1e:9b:99:44 by local choice (reason=3)
[  626.584015] cfg80211: Calling CRDA to update world regulatory domain
[  626.588277] type=1400 audit(1366273806.833:55): avc:  denied  { create } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.588303] type=1400 audit(1366273806.833:56): avc:  denied  { setopt } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.588320] type=1400 audit(1366273806.833:57): avc:  denied  { bind } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.588332] type=1400 audit(1366273806.833:58): avc:  denied  { getattr } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.588358] type=1400 audit(1366273806.833:59): avc:  denied  { write } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.588419] type=1400 audit(1366273806.833:60): avc:  denied  { read } for  pid=4217 comm="crda" scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t tclass=netlink_socket
[  626.589509] cfg80211: World regulatory domain updated:
[  626.589517] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[  626.589525] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  626.589531] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  626.589534] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[  626.589537] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  626.589539] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  627.764557] wlan0: authenticate with 00:1a:1e:9b:99:44
[  627.770170] wlan0: send auth to 00:1a:1e:9b:99:44 (try 1/3)
[  627.774523] wlan0: authenticated
[  627.774548] ath9k 0000:06:00.0 wlan0: disabling HT as WMM/QoS is not supported by the AP
[  627.774552] ath9k 0000:06:00.0 wlan0: disabling VHT as WMM/QoS is not supported by the AP
[  627.775446] wlan0: associate with 00:1a:1e:9b:99:44 (try 1/3)
[  627.805162] wlan0: RX AssocResp from 00:1a:1e:9b:99:44 (capab=0x421 status=0 aid=1)
[  627.805251] wlan0: associated


Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2013-05-11 16:33:12 UTC 
Looks like crda is a different application, might need its own policy? Or at least be ran as part of a different domain than udev_t...

Care to try and build a policy around it, or run it within NetworkManager_t ?