kismet - DBUS AVCs
Dominick Grift
domg472 at gmail.com
Sun Jul 5 18:13:12 UTC 2009
On Sun, 2009-07-05 at 15:32 +0200, Dominick Grift wrote:
> On Sun, 2009-07-05 at 15:31 +0200, Dominick Grift wrote:
> > On Sun, 2009-07-05 at 14:45 +0200, Christoph A. wrote:
> > > Hi,
> > >
> > > I'm running fedora 11.
> > >
> > > rpm -qa selinux*
> > > selinux-policy-3.6.12-53.fc11.noarch
> > > selinux-policy-targeted-3.6.12-53.fc11.noarch
> > >
> > > When I try to start kismet it failes with this error:
> > >
> > > WARNING: Failed to connect to DBUS system, will not be able to control
> > > networkmanager: Failed to connect to socket
> > > /var/run/dbus/system_bus_socket: Permission denied
> > > WARNING: Failed to send 'sleep' command to networkmanager via DBUS, NM
> > > may try to take control of the interfaces still.FATAL: Dump file error:
> > > Unable to open dump file /home/kismet/dump/Jul-05-2009-14-26-09.dump (No
> > > such file or directory)
> > > Sending termination request to channel control child 10743...
> > > WARNING: Error disabling monitor mode: mode set ioctl failed 16:Device
> > > or resource busy
> > > WARNING: WIFI5100AGN (wlan0) left in an unknown state. You may need to
> > > manually
> > > restart or reconfigure it for normal operation.
> > > WARNING: Sometimes cards don't always come out of monitor mode
> > > cleanly. If your card is not fully working, you may need to
> > > restart or reconfigure it for normal operation.
> > > Waiting for channel control child 10743 to exit...
> > > Trying to wake networkmanager back up...
> > > WARNING: Failed to connect to DBUS system, will not be able to control
> > > networkmanager: Failed to connect to socket
> > > /var/run/dbus/system_bus_socket: Permission denied
> > > WARNING: Failed to send 'wake' command to networkmanager via DBUS, NM
> > > may still be inactive.Kismet exiting.
> > >
> > >
> > > log:
> > >
> > > node=localhost.localdomain type=AVC msg=audit(1246795836.328:420): avc:
> > > denied { search } for pid=10334 comm="kismet_server" name="dbus"
> > > dev=dm-1 ino=2000053
> > > scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023
> > > tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir
> > > node=localhost.localdomain type=SYSCALL msg=audit(1246795836.328:420):
> > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfe50b20 a2=bbeff4
> > > a3=bfe50ccc items=0 ppid=10333 pid=10334 auid=500 uid=492 gid=496
> > > euid=492 suid=492 fsuid=492 egid=496 sgid=496 fsgid=496 tty=pts0 ses=1
> > > comm="kismet_server" exe="/usr/bin/kismet_server"
> > > subj=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 key=(null)
> > >
> > >
> > > while searching the web I found a old but similar issue:
> > > http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html
> > >
> > > What should I do to successfully start kismet (without disabling SELinux)?
> >
> > Probably:
> >
> > mkdir ~/mykismet; cd ~/mykismet;
> > echo "policy_module(mykismet, 0.0.1)" > mykismet.te
> > echo "require { type kismet_t; }" >> mykismet.te
> > echo "dbus_system_bus_client(kismet_t) >> mykismet.te
> > make -f /usr/share/selinux/devel mykismet.pp
> make that:
>
> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> > sudo semodule -i mykismet.po
> >
By the way you might need to give it even more permissions. The DBUS
daemon object manager logs a lot of stuff to /var/log/messages instead
of /var/log/audit/audit.log.
I could for example imagine kismet wanting to send dbus msgs to
network-manager or both dbus chatting to each other.
> > > thanks
> > > Christoph
> > > (kismet.conf attached)
> > >
> > > --
> > > fedora-selinux-list mailing list
> > > fedora-selinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090705/9329778c/attachment.sig>
More information about the fedora-selinux-list
mailing list