kismet - DBUS AVCs

Sun Jul 5 18:13:12 UTC 2009

On Sun, 2009-07-05 at 15:32 +0200, Dominick Grift wrote:
> On Sun, 2009-07-05 at 15:31 +0200, Dominick Grift wrote:
> > On Sun, 2009-07-05 at 14:45 +0200, Christoph A. wrote:
> > > Hi,
> > > 
> > > I'm running fedora 11.
> > > 
> > > rpm -qa selinux*
> > > selinux-policy-3.6.12-53.fc11.noarch
> > > selinux-policy-targeted-3.6.12-53.fc11.noarch
> > > 
> > > When I try to start kismet it failes with this error:
> > > 
> > > WARNING: Failed to connect to DBUS system, will not be able to control 
> > > networkmanager: Failed to connect to socket 
> > > /var/run/dbus/system_bus_socket: Permission denied
> > > WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM 
> > > may try to take control of the interfaces still.FATAL: Dump file error: 
> > > Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No 
> > > such file or directory)
> > > Sending termination request to channel control child 10743...
> > > WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device 
> > > or resource busy
> > > WARNING: WIFI5100AGN (wlan0) left in an unknown state.  You may need to 
> > > manually
> > >           restart or reconfigure it for normal operation.
> > > WARNING: Sometimes cards don't always come out of monitor mode
> > >           cleanly.  If your card is not fully working, you may need to
> > >           restart or reconfigure it for normal operation.
> > > Waiting for channel control child 10743 to exit...
> > > Trying to wake networkmanager back up...
> > > WARNING: Failed to connect to DBUS system, will not be able to control 
> > > networkmanager: Failed to connect to socket 
> > > /var/run/dbus/system_bus_socket: Permission denied
> > > WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM 
> > > may still be inactive.Kismet exiting.
> > > 
> > > 
> > > log:
> > > 
> > > node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc: 
> > > denied { search } for pid=10334 comm="kismet_server" name="dbus" 
> > > dev=dm-1 ino=2000053 
> > > scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 
> > > tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir 
> > > node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420): 
> > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4 
> > > a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496 
> > > euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1 
> > > comm="kismet_server" exe="/usr/bin/kismet_server" 
> > > subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
> > > 
> > > 
> > > while searching the web I found a old but similar issue:
> > > http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html
> > > 
> > > What should I do to successfully start kismet (without disabling SELinux)?
> > 
> > Probably:
> > 
> > mkdir ~/mykismet; cd ~/mykismet;
> > echo "policy_module(mykismet, 0.0.1)" > mykismet.te
> > echo "require { type kismet_t; }" >> mykismet.te
> > echo "dbus_system_bus_client(kismet_t) >> mykismet.te
> > make -f /usr/share/selinux/devel mykismet.pp
> make that:
> 
> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> > sudo semodule -i mykismet.po
> > 
By the way you might need to give it even more permissions. The DBUS
daemon object manager logs a lot of stuff to /var/log/messages instead
of /var/log/audit/audit.log.

I could for example imagine kismet wanting to send dbus msgs to
network-manager or both dbus chatting to each other.

> > > thanks
> > > Christoph
> > > (kismet.conf attached)
> > > 
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090705/9329778c/attachment.sig>