LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-11-2010, 02:34 PM   #1
spoovy
Member
 
Registered: Feb 2010
Location: London, UK
Distribution: Slackware 14; CentOS; Vyatta
Posts: 372

Rep: Reputation: 33
CentOS 5 - SELinux denial of wicd/wpa_supplicant


I am trying to use CentOS 5.4 to set up a secure laptop, largely because of it's SELinux functionality.

Unfortunately I couldn't get wireless to work properly using the default NetworkManager so I installed wicd. Initially it buggered up my whole installation but after relabelling files using SEL I can now use my system again. but..

I can't use it with SELinux enabled, as it denies the required accesses for wicd to work. I also get similar SELinux denials for wpa_supplicant.

A couple of snippets from /var/log/audit/audit.log -

type=AVC msg=audit(1273601445.762:23): avc: denied { append } for pid=3666 comm="consoletype" path="/var/log/wicd/wicd.log" dev=sda1 ino=65919 scontext=system_u:system_r:consoletype_t:s0 tcontext=rootbject_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1273601451.746:24): avc: denied { read } for pid=3736 comm="wpa_supplicant" name="00173f1990b0" dev=sda1 ino=65985 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_ubject_r:var_lib_t:s0 tclass=file

type=AVC msg=audit(1273601512.002:26): avc: denied { read } for pid=3871 comm="consoletype" path="pipe:[23096]" dev=pipefs ino=23096 scontext=system_u:system_r:consoletype_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=fifo_file


Any help gratefully accepted. I have read through the obvious wiki pages etc but SEL really is a bit beyond me, I can't work out where to start!

Thanks in advance

spoov
 
Old 05-11-2010, 05:48 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
If you "do the default thing" and run your AVCs through audit2allow, what rules do you get? If you (temporarily) install them in a module and load it, does that work for you?
 
Old 05-12-2010, 03:19 PM   #3
spoovy
Member
 
Registered: Feb 2010
Location: London, UK
Distribution: Slackware 14; CentOS; Vyatta
Posts: 372

Original Poster
Rep: Reputation: 33
thanks for the reply unspawn. How would I do that?

I have looked around for howtos on audit2allow but again it is pretty complicated and alot of the 'tutorials' are I suspect out of date. One recommends running 'audit2allow -w -a' but when I try that I get an error.

regards

spoov
 
Old 05-12-2010, 05:29 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,451
Blog Entries: 54

Rep: Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893Reputation: 2893
Basically 'audit2allow</var/log/audit/audit.log' should show. [1|2] To gen a local policy you could:
Code:
( cat /var/log/audit/audit.log; cat /var/log/messages ) |\
 audit2allow -M localpolicy; checkmodule -M -m -o localpolicy.mod localpolicy.te
semodule_package -o localpolicy.pp -m localpolicy.mod; semodule -i localpolicy.pp
 
Old 05-13-2010, 02:40 PM   #5
spoovy
Member
 
Registered: Feb 2010
Location: London, UK
Distribution: Slackware 14; CentOS; Vyatta
Posts: 372

Original Poster
Rep: Reputation: 33
Cheers. I got this sorted in the end after I found a good article in Linux Format magazine. All I did was set SEL to permissive, reboot. Then in root shell type -

audit2allow -l -a -M selwicd

then load the policy. I had seen variations on this theme in lots of articles but never this simple! And this worked!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Wireless - RTL 8187b + wicd + wpa_supplicant - naughty behaviour CoolRabit Linux - Laptop and Netbook 18 12-12-2010 05:24 AM
SELinux: Retag errors / unconfined_u multiple avc denial mrmnemo Linux - Security 3 11-28-2009 02:43 PM
CentOS: associating problem with wpa_supplicant nuwen52 Linux - Networking 1 02-02-2009 03:03 PM
SELinux AVC denial: Wireless drops instantly or never connects vprice Linux - Wireless Networking 8 05-04-2008 08:15 AM
Nagios - SELinux AVC Denial davethemackem Linux - Software 1 09-26-2007 03:30 PM


All times are GMT -5. The time now is 12:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration