LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   CentOS 5 - SELinux denial of wicd/wpa_supplicant (http://www.linuxquestions.org/questions/linux-security-4/centos-5-selinux-denial-of-wicd-wpa_supplicant-807208/)

spoovy 05-11-2010 03:34 PM

CentOS 5 - SELinux denial of wicd/wpa_supplicant
 
I am trying to use CentOS 5.4 to set up a secure laptop, largely because of it's SELinux functionality.

Unfortunately I couldn't get wireless to work properly using the default NetworkManager so I installed wicd. Initially it buggered up my whole installation but after relabelling files using SEL I can now use my system again. but..

I can't use it with SELinux enabled, as it denies the required accesses for wicd to work. I also get similar SELinux denials for wpa_supplicant.

A couple of snippets from /var/log/audit/audit.log -

type=AVC msg=audit(1273601445.762:23): avc: denied { append } for pid=3666 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda1 ino=65919 scontext=system_u:system_r:consoletype_t:s0 tcontext=root:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1273601451.746:24): avc: denied { read } for pid=3736 comm="wpa_supplicant" name="00173f1990b0" dev=sda1 ino=65985 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file

type=AVC msg=audit(1273601512.002:26): avc: denied { read } for pid=3871 comm="consoletype" path="pipe:[23096]" dev=pipefs ino=23096 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file


Any help gratefully accepted. I have read through the obvious wiki pages etc but SEL really is a bit beyond me, I can't work out where to start!

Thanks in advance

spoov

unSpawn 05-11-2010 06:48 PM

If you "do the default thing" and run your AVCs through audit2allow, what rules do you get? If you (temporarily) install them in a module and load it, does that work for you?

spoovy 05-12-2010 04:19 PM

thanks for the reply unspawn. How would I do that?

I have looked around for howtos on audit2allow but again it is pretty complicated and alot of the 'tutorials' are I suspect out of date. One recommends running 'audit2allow -w -a' but when I try that I get an error.

regards

spoov

unSpawn 05-12-2010 06:29 PM

Basically 'audit2allow</var/log/audit/audit.log' should show. [1|2] To gen a local policy you could:
Code:

( cat /var/log/audit/audit.log; cat /var/log/messages ) |\
 audit2allow -M localpolicy; checkmodule -M -m -o localpolicy.mod localpolicy.te
semodule_package -o localpolicy.pp -m localpolicy.mod; semodule -i localpolicy.pp


spoovy 05-13-2010 03:40 PM

Cheers. I got this sorted in the end after I found a good article in Linux Format magazine. All I did was set SEL to permissive, reboot. Then in root shell type -

audit2allow -l -a -M selwicd

then load the policy. I had seen variations on this theme in lots of articles but never this simple! And this worked!


All times are GMT -5. The time now is 03:54 PM.