On Sun, 2009-07-05 at 21:16 +0200, Dominick Grift wrote:
On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
the module was loaded successfull:
semodule -l|grep myk mykismet 0.0.1
By the way you might need to give it even more permissions. The DBUS daemon object manager logs a lot of stuff to /var/log/messages instead of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to network-manager or both dbus chatting to each other.
you are right: type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
starting kismet in enforcing mode gives me: NOTICE: configdir '/root/' does not exist, making it. FATAL: Could not make configdir: File exists
Before adding more homemade rules: I'm wondering if all other kismet users are turning off SELinux or if I have a special setup where the default rules of the kismet 1.2.0 module do not work? Also because Dan mentioned [1] that he will add dbus rules to solve these denies. The only thing that is non-standard in my config is the logtemplate configuration (see kismet.conf).
[1] http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
Well a few things to consider here:
- not all wifi hardware work with kismet (mine doesnt)
- in rhel it would run unconfined
- fedora is a development platform and many devs run selinux in
permissive mode unfortunatly (they focus on developing and care less about security)
Obviously there are still bugs in you kismet policy: consider reporting to bugzilla.redhat.com/selinux-policy
A fix for the above issue would be:
networkmanager_dbus_chat(kismet.te)
make that:
networkmanager_dbus_chat(kismet_t)
You would add that to you mykismet.te file and rebuild/reinstall the mykismet.pp
However it may be that the above interface call is a bit too coarse since it allows two way chatting and the above denial only reports that kismet want to send_msg to network-manager.
So in that case a new interface should be added to networkmanager.if:
networkmanager_send_dbus_msg()
thanks Christoph