More changes to NetworkManager for WPA... (yea!)

Tom London selinux at gmail.com
Tue Jan 31 15:28:06 UTC 2006 

Running today's rawhide, targeted/enforcing.

The new kernel and NM supports WPA. Works in permissive mode.

Seems to want:
allow NetworkManager_t self:unix_dgram_socket sendto;
allow NetworkManager_t tmp_t:dir remove_name;
allow NetworkManager_t tmp_t:sock_file unlink;
allow NetworkManager_t var_run_t:dir create;
allow NetworkManager_t var_run_t:sock_file setattr;

----
type=PATH msg=audit(01/31/2006 07:17:14.277:45) : item=0 flags=parent
inode=2777160 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(01/31/2006 07:17:14.277:45) : nargs=3 a0=3
a1=bfd8f0fe a2=6e
type=SOCKADDR msg=audit(01/31/2006 07:17:14.277:45) : saddr=local
/var/run/wpa_supplicant-global
type=SYSCALL msg=audit(01/31/2006 07:17:14.277:45) : arch=i386
syscall=socketcall(bind) success=yes exit=0 a0=2 a1=bfd8f0e0 a2=3
a3=8af7020 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
type=AVC msg=audit(01/31/2006 07:17:14.277:45) : avc:  denied  {
create } for  pid=3138 comm=wpa_supplicant name=wpa_supplicant-global
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
type=PATH msg=audit(01/31/2006 07:17:15.281:46) : item=0 flags=parent
inode=980161 dev=fd:00 mode=dir,sticky,777 ouid=root ogid=root
rdev=00:00
type=SOCKETCALL msg=audit(01/31/2006 07:17:15.281:46) : nargs=3 a0=12
a1=810f9ac a2=6e
type=SOCKADDR msg=audit(01/31/2006 07:17:15.281:46) : saddr=local
/tmp/wpa_ctrl_2606-1
type=SYSCALL msg=audit(01/31/2006 07:17:15.281:46) : arch=i386
syscall=socketcall(bind) success=yes exit=0 a0=2 a1=b7579240 a2=1
a3=810f9a8 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
create } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
add_name } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  { write
} for  pid=2615 comm=NetworkManager name=tmp dev=dm-0 ino=980161
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
type=AVC msg=audit(01/31/2006 07:17:15.281:46) : avc:  denied  {
search } for  pid=2615 comm=NetworkManager name=tmp dev=dm-0
ino=980161 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
type=PATH msg=audit(01/31/2006 07:17:15.281:47) : item=0 flags=follow
inode=2778180 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(01/31/2006 07:17:15.281:47) : nargs=3 a0=12
a1=810fa1a a2=6e
type=SOCKADDR msg=audit(01/31/2006 07:17:15.281:47) : saddr=local
/var/run/wpa_supplicant-global
type=AVC_PATH msg=audit(01/31/2006 07:17:15.281:47) : 
path=/var/run/wpa_supplicant-global
type=SYSCALL msg=audit(01/31/2006 07:17:15.281:47) : arch=i386
syscall=socketcall(connect) success=yes exit=0 a0=3 a1=b7579240 a2=1
a3=0 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(01/31/2006 07:17:15.281:47) : avc:  denied  {
sendto } for  pid=2615 comm=NetworkManager name=wpa_supplicant-global
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:system_r:NetworkManager_t:s0
tclass=unix_dgram_socket
type=AVC msg=audit(01/31/2006 07:17:15.281:47) : avc:  denied  { write
} for  pid=2615 comm=NetworkManager name=wpa_supplicant-global
dev=dm-0 ino=2778180 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
type=PATH msg=audit(01/31/2006 07:17:15.309:48) : item=0
name=/var/run/wpa_supplicant flags=parent inode=2777160 dev=fd:00
mode=dir,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/31/2006 07:17:15.309:48) :  cwd=/
type=SYSCALL msg=audit(01/31/2006 07:17:15.309:48) : arch=i386
syscall=mkdir success=yes exit=0 a0=8af7aa8 a1=1f8 a2=8af7958
a3=8af7958 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
type=AVC msg=audit(01/31/2006 07:17:15.309:48) : avc:  denied  {
create } for  pid=3138 comm=wpa_supplicant name=wpa_supplicant
scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
type=PATH msg=audit(01/31/2006 07:17:15.465:49) : item=0
name=/var/run/wpa_supplicant/eth1 flags=follow inode=3628151 dev=fd:00
mode=socket,755 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/31/2006 07:17:15.465:49) :  cwd=/
type=SYSCALL msg=audit(01/31/2006 07:17:15.465:49) : arch=i386
syscall=chmod success=yes exit=0 a0=8b00e68 a1=1f8 a2=8b00e68
a3=8af7958 items=1 pid=3138 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant
type=AVC msg=audit(01/31/2006 07:17:15.465:49) : avc:  denied  {
setattr } for pid=3138 comm=wpa_supplicant name=eth1 dev=dm-0
ino=3628151 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file
----
type=AVC msg=audit(01/31/2006 07:17:15.465:50) : avc:  denied  { write
} for  pid=3138 comm=wpa_supplicant name=wpa_ctrl_2606-1 dev=dm-0
ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
----
type=PATH msg=audit(01/31/2006 07:17:15.465:51) : item=0
name=/tmp/wpa_ctrl_2606-1 flags=parent inode=980161 dev=fd:00
mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
type=CWD msg=audit(01/31/2006 07:17:15.465:51) :  cwd=/
type=SYSCALL msg=audit(01/31/2006 07:17:15.465:51) : arch=i386
syscall=unlink success=yes exit=0 a0=810f9ae a1=1 a2=810f9a8
a3=81084b0 items=1 pid=2615 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=NetworkManager exe=/usr/sbin/NetworkManager
type=AVC msg=audit(01/31/2006 07:17:15.465:51) : avc:  denied  {
unlink } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
dev=dm-0 ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=sock_file
type=AVC msg=audit(01/31/2006 07:17:15.465:51) : avc:  denied  {
remove_name } for  pid=2615 comm=NetworkManager name=wpa_ctrl_2606-1
dev=dm-0 ino=980237 scontext=system_u:system_r:NetworkManager_t:s0
tcontext=system_u:object_r:tmp_t:s0 tclass=dir
----
type=PATH msg=audit(01/31/2006 07:17:15.465:50) : item=0 flags=follow
inode=980237 dev=fd:00 mode=socket,755 ouid=root ogid=root rdev=00:00
type=SOCKETCALL msg=audit(01/31/2006 07:17:15.465:50) : nargs=6 a0=3
a1=8af7150 a2=3 a3=0 a4=bfd8f0b6 a5=17
type=SOCKADDR msg=audit(01/31/2006 07:17:15.465:50) : saddr=local
/tmp/wpa_ctrl_2606-1
type=SYSCALL msg=audit(01/31/2006 07:17:15.465:50) : arch=i386
syscall=socketcall(sendto) success=yes exit=3 a0=b a1=bfd8ef80
a2=bfd8efc4 a3=0 items=1 pid=3138 auid=unknown(4294967295) uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant


--
Tom London

More information about the selinux mailing list