LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking > Linux - Wireless Networking
User Name
Password
Linux - Wireless Networking This forum is for the discussion of wireless networking in Linux.

Notices



Reply
 
Search this Thread
Old 05-02-2008, 03:05 PM   #1
vprice
LQ Newbie
 
Registered: Apr 2008
Posts: 9

Rep: Reputation: 0
SELinux AVC denial: Wireless drops instantly or never connects


I installed FC 8 a few days ago on Dell D410 and ran into problems with wireless. Looks like wireless either connects to a public non-encrypted network and instantly drops the connection or never establishes one. I get a constant message on top of the screen "SELinux AVC denial, click icon to view". When I click the icon, the summary of the problem is "SELinux is preventing ifdown-ipv6 (hotplug_t) "search" to ./net (proc_net_t)." It recommends running restorecon -v './net' but when I do, restorecon complains of "No such file or directory" ("find" turns up a bunch of different "net" directories all over the file system. "man restorecon" doesn't really help).

I found a weird workaround though: if I turn off netplugd, followed by "ifdown eth1; ifup eth1" (as root) "SELinux AVC denial" messages stop and wireless network connection works fine. But then I have to manually restart network connection every time. How do I get my wireless to work normally? It's using Intel 2200BG on-board wireless (Controlled by: Network Manager, DHCP, Automatically obtain DNS from provider, Mode: auto, SSID: auto, Transmit rate: auto, Key: [blank])
 
Old 05-02-2008, 07:25 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
If you look in /var/log/messages you'll find 'sealert -l' messages which might hold an explanation. If you don't care for explanations you could probably 'audit2allow < /var/log/messages' and build a local policy from that. Since you use Fedora it would be good to check their bugtracker and see if you could help Fedora advance by posting SELinux policy notes.
 
Old 05-03-2008, 10:54 AM   #3
vprice
LQ Newbie
 
Registered: Apr 2008
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks, unSpawn.
I pulled the offending messages from /var/log/messages, to the best of my ability followed instructions to build a local policy into kernel, rebooted the machine, but the problem did not go away. SELinux denials still pop up.
 
Old 05-03-2008, 12:05 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
OK.
- What instructions did you follow or what commands did you use to build your local policy file?
- Can you verify the output from 'grep "avc:.*denied" /var/log/messages|audit2allow' matches your local policy source file (the plaintext file with the .te extension)?
- Can you verify your local policy module is loaded with 'semodule -l'?
- If the local policy is loaded, do the Sealert alerts still point to the same warnings you already loaded rules for?
- How many unique alerts are we talking about anyway 'awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|wc -l'?
- And what are the warnings? (Only if less than 10, else please upload "/tmp/sealerts.expl" to some free hosting provider or pastebin and post the URI here: 'awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|while read ID; do sealert -l $ID 2>&1; done | tee /tmp/sealerts.expl'.
 
Old 05-03-2008, 02:18 PM   #5
vprice
LQ Newbie
 
Registered: Apr 2008
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks again, unSpawn.
1) I copied Raw Audit Messages into /tmp/avcs and ran (as root, in /tmp) "audit2allow -M local < /tmp/avcs" and "semodule -i local.pp" (local.pp looked fine). That didn't help. Then I tried "audit2allow -m local -l -i /var/log/audit/audit.log > local.te", made sure local.te file looks fine, ran "checkmodule -M -m -o local.mod local.te", "semodule_package -o local.pp -m local.mod" and "semodule -i local.pp". Before rebooting I dropped this file "touch /.autorelabel". Did not help either.

2) grep "avc:.*denied" /var/log/audit/audit.log|audit2allow
#============= hotplug_t ==============
allow hotplug_t proc_net_t:dir search;
allow hotplug_t selfrocess ptrace;
allow hotplug_t sysctl_net_t:file write;

And here is what /tmp/local.te contains:
#============= hotplug_t ==============
allow hotplug_t selfrocess ptrace;
allow hotplug_t sysctl_net_t:file write;

As you see, "allow hotplug_t proc_net_t:dir search;" is not in /tmp/local.te .

3) 'semodule -l' does not show local policy.
4) "awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|wc -l" results in 6438 alerts (not sure how to post them elsewhere)
 
Old 05-03-2008, 03:49 PM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
Quote:
Originally Posted by vprice View Post
4) "awk '/sealert -l/ {print $NF}' /var/log/messages |uniq|wc -l" results in 6438 alerts (not sure how to post them elsewhere)
6438 alerts is A LOT. What I meant with "post somewhere" is that this forum can't take posts with many lines. There are hosting providers you can upload files to temporarily and for free. If you have a large log you could decide to compress it, even encrypt it if necessary and upload. Then all you have to do is post the URI here. Pastebin or nopaste is "a collaborative debugging tool" but it would be easier to say it's a "public clipboard".

But first lets see what building your policy would do.


Quote:
Originally Posted by vprice View Post
And here is what /tmp/local.te contains:
#============= hotplug_t ==============
allow hotplug_t selfrocess ptrace;
allow hotplug_t sysctl_net_t:file write;

As you see, "allow hotplug_t proc_net_t:dir search;" is not in /tmp/local.te.
OK. unless you add that to your local policy template that ain't gonna work (and running 'checkmodule -M -m local.te' should show why). If this is a selfcontained policy file it should look like this (w/o the line numbers):
Code:
     1  
     2  module vprice 1.0;
     3  
     4  require {
     5          type hotplug_t;
     6          type proc_net_t;
     7          type sysctl_net_t;
     8          class process ptrace;
     9          class dir search;
    10          class file write;
    11  }
    12  
    13  #============= hotplug_t ==============
    14  allow hotplug_t proc_net_t:dir search;
    15  allow hotplug_t self:process ptrace;
    16  allow hotplug_t sysctl_net_t:file write;
Rename it (right now it builds "vprice.pp") then start at checkmodule and on.
 
Old 05-03-2008, 08:30 PM   #7
vprice
LQ Newbie
 
Registered: Apr 2008
Posts: 9

Original Poster
Rep: Reputation: 0
After 2 revisions of local.pp (the last change caused a new denial to pop up, I incorporated it as well) the SELinux messages finally stopped. Thanks for your help, unSpawn. Wireless still has some problems but since I am giving this laptop to my stepson for his birthday tomorrow he will have to wrestle with them himself (the laptop was an incentive for him to learn Linux).
 
Old 05-04-2008, 06:01 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,679
Blog Entries: 54

Rep: Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954Reputation: 2954
Quote:
Originally Posted by vprice View Post
After 2 revisions of local.pp (the last change caused a new denial to pop up, I incorporated it as well) the SELinux messages finally stopped.
Good to see it works.


Quote:
Originally Posted by vprice View Post
Wireless still has some problems but since I am giving this laptop to my stepson for his birthday tomorrow he will have to wrestle with them himself (the laptop was an incentive for him to learn Linux).
Nice stimulus indeed. Just two things you should do in terms of aftercare IMHO: make a backup and tell him that no matter what (in general) things *can* be fixed.
 
Old 05-04-2008, 09:15 AM   #9
vprice
LQ Newbie
 
Registered: Apr 2008
Posts: 9

Original Poster
Rep: Reputation: 0
Thanks. Naturally I backed up the most recent copy of local.te so that we could add to it later if need be. But backing up the entire system - that's a project my stepson will have to deal with...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Wireless (WEP) Drops randomly awlred Linux - Wireless Networking 4 04-23-2008 01:52 PM
AVC Denial alan_ri Fedora 4 03-31-2008 03:25 PM
Nagios - SELinux AVC Denial davethemackem Linux - Software 1 09-26-2007 04:30 PM
Iptables, avc, SElinux erika_Dec2004 Fedora 1 01-15-2007 05:27 AM
Modem connects but drops carrier GingerMegs Linux - Hardware 4 04-21-2005 03:31 PM


All times are GMT -5. The time now is 10:23 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration