[DSE-Dev] Bug#711083: selinux-policy-default: NetworkManager_t can't access var_run_t, returns failed to insert Dummy STA entry for the AP when trying to connect to a wifi network

Kim Twain kimtwain0 at gmail.com
Tue Jun 4 14:18:19 UTC 2013


Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,
Using selinux with the default policy on debian 7 makes it impossible to connect to wifi networks using NetworkManager. 
NetworkManager will report a similar error in dmesg:
[   56.858552] wlan0: authenticate with 74:ea:3a:e9:46:2c (try 1)
[   56.861540] wlan0: authenticated
[   56.861883] wlan0: failed to insert Dummy STA entry for the AP (error -17)
[   57.531657] wlan0: deauthenticating from 74:ea:3a:e9:46:2c by local choice (reason=2)

It seems that it needs access to /run/network/ifstate

except from /var/log/audit/audit.log
type=AVC msg=audit(1370353842.447:245): avc:  denied  { open } for  pid=590 comm="ifup" name="ifstate" dev=tmpfs ino=6897 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1370353842.447:246): avc:  denied  { lock } for  pid=590 comm="ifup" path="/run/network/ifstate" dev=tmpfs ino=6897 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1370353842.447:247): avc:  denied  { getattr } for  pid=590 comm="ifup" path="/run/network/ifstate" dev=tmpfs ino=6897 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1370353842.447:248): avc:  denied  { unlink } for  pid=590 comm="ifup" name="ifstate" dev=tmpfs ino=6897 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1370353843.471:249): avc:  denied  { read } for  pid=3352 comm="NetworkManager" name="ifstate" dev=tmpfs ino=14226 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1370353843.471:249): avc:  denied  { open } for  pid=3352 comm="NetworkManager" name="ifstate" dev=tmpfs ino=14226 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1370353843.471:249): arch=c000003e syscall=2 success=yes exit=19 a0=4b49b0 a1=0 a2=1b6 a3=7fff664177b0 items=0 ppid=1 pid=3352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
type=AVC msg=audit(1370353843.471:250): avc:  denied  { getattr } for  pid=3352 comm="NetworkManager" path="/run/network/ifstate" dev=tmpfs ino=14226 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=file
type=SYSCALL msg=audit(1370353843.471:250): arch=c000003e syscall=5 success=yes exit=0 a0=13 a1=7fff66417760 a2=7fff66417760 a3=7fff664177b0 items=0 ppid=1 pid=3352 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="NetworkManager" exe="/usr/sbin/NetworkManager" subj=system_u:system_r:NetworkManager_t:s0 key=(null)




-- System Information:
Debian Release: 7.0
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=it_IT.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- Configuration Files:
/etc/selinux/default/modules/active/file_contexts.local [Errno 13] Permesso negato: u'/etc/selinux/default/modules/active/file_contexts.local'

-- no debconf information



More information about the SELinux-devel mailing list