Hi,
I'm running fedora 11.
rpm -qa selinux* selinux-policy-3.6.12-53.fc11.noarch selinux-policy-targeted-3.6.12-53.fc11.noarch
When I try to start kismet it failes with this error:
WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM may try to take control of the interfaces still.FATAL: Dump file error: Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No such file or directory) Sending termination request to channel control child 10743... WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device or resource busy WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to manually restart or reconfigure it for normal operation. WARNING: Sometimes cards don't always come out of monitor mode cleanly. If your card is not fully working, you may need to restart or reconfigure it for normal operation. Waiting for channel control child 10743 to exit... Trying to wake networkmanager back up... WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still be inactive.Kismet exiting.
log:
node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc: denied { search } for pid=10334 comm="kismet_server" name="dbus" dev=dm-1 ino=2000053 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4 a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496 euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1 comm="kismet_server" exe="/usr/bin/kismet_server" subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
while searching the web I found a old but similar issue: http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
What should I do to successfully start kismet (without disabling SELinux)?
thanks Christoph (kismet.conf attached)
On Sun, 2009-07-05 at 14:45 +0200, Christoph A. wrote:
Hi,
I'm running fedora 11.
rpm -qa selinux* selinux-policy-3.6.12-53.fc11.noarch selinux-policy-targeted-3.6.12-53.fc11.noarch
When I try to start kismet it failes with this error:
WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM may try to take control of the interfaces still.FATAL: Dump file error: Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No such file or directory) Sending termination request to channel control child 10743... WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device or resource busy WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to manually restart or reconfigure it for normal operation. WARNING: Sometimes cards don't always come out of monitor mode cleanly. If your card is not fully working, you may need to restart or reconfigure it for normal operation. Waiting for channel control child 10743 to exit... Trying to wake networkmanager back up... WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still be inactive.Kismet exiting.
log:
node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc: denied { search } for pid=10334 comm="kismet_server" name="dbus" dev=dm-1 ino=2000053 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4 a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496 euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1 comm="kismet_server" exe="/usr/bin/kismet_server" subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
while searching the web I found a old but similar issue: http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
What should I do to successfully start kismet (without disabling SELinux)?
Probably:
mkdir ~/mykismet; cd ~/mykismet; echo "policy_module(mykismet, 0.0.1)" > mykismet.te echo "require { type kismet_t; }" >> mykismet.te echo "dbus_system_bus_client(kismet_t) >> mykismet.te make -f /usr/share/selinux/devel mykismet.pp sudo semodule -i mykismet.po
thanks Christoph (kismet.conf attached)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sun, 2009-07-05 at 15:31 +0200, Dominick Grift wrote:
On Sun, 2009-07-05 at 14:45 +0200, Christoph A. wrote:
Hi,
I'm running fedora 11.
rpm -qa selinux* selinux-policy-3.6.12-53.fc11.noarch selinux-policy-targeted-3.6.12-53.fc11.noarch
When I try to start kismet it failes with this error:
WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM may try to take control of the interfaces still.FATAL: Dump file error: Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No such file or directory) Sending termination request to channel control child 10743... WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device or resource busy WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to manually restart or reconfigure it for normal operation. WARNING: Sometimes cards don't always come out of monitor mode cleanly. If your card is not fully working, you may need to restart or reconfigure it for normal operation. Waiting for channel control child 10743 to exit... Trying to wake networkmanager back up... WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still be inactive.Kismet exiting.
log:
node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc: denied { search } for pid=10334 comm="kismet_server" name="dbus" dev=dm-1 ino=2000053 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4 a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496 euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1 comm="kismet_server" exe="/usr/bin/kismet_server" subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
while searching the web I found a old but similar issue: http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
What should I do to successfully start kismet (without disabling SELinux)?
Probably:
mkdir ~/mykismet; cd ~/mykismet; echo "policy_module(mykismet, 0.0.1)" > mykismet.te echo "require { type kismet_t; }" >> mykismet.te echo "dbus_system_bus_client(kismet_t) >> mykismet.te make -f /usr/share/selinux/devel mykismet.pp
make that:
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
thanks Christoph (kismet.conf attached)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
On Sun, 2009-07-05 at 15:32 +0200, Dominick Grift wrote:
On Sun, 2009-07-05 at 15:31 +0200, Dominick Grift wrote:
On Sun, 2009-07-05 at 14:45 +0200, Christoph A. wrote:
Hi,
I'm running fedora 11.
rpm -qa selinux* selinux-policy-3.6.12-53.fc11.noarch selinux-policy-targeted-3.6.12-53.fc11.noarch
When I try to start kismet it failes with this error:
WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM may try to take control of the interfaces still.FATAL: Dump file error: Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No such file or directory) Sending termination request to channel control child 10743... WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device or resource busy WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to manually restart or reconfigure it for normal operation. WARNING: Sometimes cards don't always come out of monitor mode cleanly. If your card is not fully working, you may need to restart or reconfigure it for normal operation. Waiting for channel control child 10743 to exit... Trying to wake networkmanager back up... WARNING: Failed to connect to DBUS system, will not be able to control networkmanager: Failed to connect to socket /var/run/dbus/system_bus_socket: Permission denied WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM may still be inactive.Kismet exiting.
log:
node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc: denied { search } for pid=10334 comm="kismet_server" name="dbus" dev=dm-1 ino=2000053 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4 a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496 euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1 comm="kismet_server" exe="/usr/bin/kismet_server" subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
while searching the web I found a old but similar issue: http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
What should I do to successfully start kismet (without disabling SELinux)?
Probably:
mkdir ~/mykismet; cd ~/mykismet; echo "policy_module(mykismet, 0.0.1)" > mykismet.te echo "require { type kismet_t; }" >> mykismet.te echo "dbus_system_bus_client(kismet_t) >> mykismet.te make -f /usr/share/selinux/devel mykismet.pp
make that:
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
By the way you might need to give it even more permissions. The DBUS daemon object manager logs a lot of stuff to /var/log/messages instead of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to network-manager or both dbus chatting to each other.
thanks Christoph (kismet.conf attached)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
the module was loaded successfull:
semodule -l|grep myk mykismet 0.0.1
By the way you might need to give it even more permissions. The DBUS daemon object manager logs a lot of stuff to /var/log/messages instead of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to network-manager or both dbus chatting to each other.
you are right: type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
starting kismet in enforcing mode gives me: NOTICE: configdir '/root/' does not exist, making it. FATAL: Could not make configdir: File exists
Before adding more homemade rules: I'm wondering if all other kismet users are turning off SELinux or if I have a special setup where the default rules of the kismet 1.2.0 module do not work? Also because Dan mentioned [1] that he will add dbus rules to solve these denies. The only thing that is non-standard in my config is the logtemplate configuration (see kismet.conf).
[1] http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
thanks Christoph
On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
the module was loaded successfull:
semodule -l|grep myk mykismet 0.0.1
By the way you might need to give it even more permissions. The DBUS daemon object manager logs a lot of stuff to /var/log/messages instead of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to network-manager or both dbus chatting to each other.
you are right: type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
starting kismet in enforcing mode gives me: NOTICE: configdir '/root/' does not exist, making it. FATAL: Could not make configdir: File exists
Before adding more homemade rules: I'm wondering if all other kismet users are turning off SELinux or if I have a special setup where the default rules of the kismet 1.2.0 module do not work? Also because Dan mentioned [1] that he will add dbus rules to solve these denies. The only thing that is non-standard in my config is the logtemplate configuration (see kismet.conf).
[1] http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
Well a few things to consider here:
- not all wifi hardware work with kismet (mine doesnt) - in rhel it would run unconfined - fedora is a development platform and many devs run selinux in permissive mode unfortunatly (they focus on developing and care less about security)
Obviously there are still bugs in you kismet policy: consider reporting to bugzilla.redhat.com/selinux-policy
A fix for the above issue would be:
networkmanager_dbus_chat(kismet.te)
You would add that to you mykismet.te file and rebuild/reinstall the mykismet.pp
However it may be that the above interface call is a bit too coarse since it allows two way chatting and the above denial only reports that kismet want to send_msg to network-manager.
So in that case a new interface should be added to networkmanager.if:
networkmanager_send_dbus_msg()
thanks Christoph
On Sun, 2009-07-05 at 21:16 +0200, Dominick Grift wrote:
On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
make -f /usr/share/selinux/devel/Makefile mykismet.pp
sudo semodule -i mykismet.po
the module was loaded successfull:
semodule -l|grep myk mykismet 0.0.1
By the way you might need to give it even more permissions. The DBUS daemon object manager logs a lot of stuff to /var/log/messages instead of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to network-manager or both dbus chatting to each other.
you are right: type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
starting kismet in enforcing mode gives me: NOTICE: configdir '/root/' does not exist, making it. FATAL: Could not make configdir: File exists
Before adding more homemade rules: I'm wondering if all other kismet users are turning off SELinux or if I have a special setup where the default rules of the kismet 1.2.0 module do not work? Also because Dan mentioned [1] that he will add dbus rules to solve these denies. The only thing that is non-standard in my config is the logtemplate configuration (see kismet.conf).
[1] http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-k...
Well a few things to consider here:
- not all wifi hardware work with kismet (mine doesnt)
- in rhel it would run unconfined
- fedora is a development platform and many devs run selinux in
permissive mode unfortunatly (they focus on developing and care less about security)
Obviously there are still bugs in you kismet policy: consider reporting to bugzilla.redhat.com/selinux-policy
A fix for the above issue would be:
networkmanager_dbus_chat(kismet.te)
make that:
networkmanager_dbus_chat(kismet_t)
You would add that to you mykismet.te file and rebuild/reinstall the mykismet.pp
However it may be that the above interface call is a bit too coarse since it allows two way chatting and the above denial only reports that kismet want to send_msg to network-manager.
So in that case a new interface should be added to networkmanager.if:
networkmanager_send_dbus_msg()
thanks Christoph
Well a few things to consider here:
- not all wifi hardware work with kismet (mine doesnt)
- in rhel it would run unconfined
- fedora is a development platform and many devs run selinux in
permissive mode unfortunatly (they focus on developing and care less about security)
thank you for your infos and fast replies
Obviously there are still bugs in you kismet policy: consider reporting to bugzilla.redhat.com/selinux-policy
I filed the bugreport here: https://bugzilla.redhat.com/show_bug.cgi?id=509756
going this way, maybe it will be fixed upstream instead of fixing it just locally
thanks Christoph
selinux@lists.fedoraproject.org