kismet - DBUS AVCs

Dominick Grift domg472 at gmail.com
Sun Jul 5 19:19:00 UTC 2009 

On Sun, 2009-07-05 at 21:16 +0200, Dominick Grift wrote:
> On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
> > >> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> > >>> sudo semodule -i mykismet.po
> > 
> > the module was loaded successfull:
> > 
> > semodule -l|grep myk
> > mykismet	0.0.1
> > 
> > 
> > > By the way you might need to give it even more permissions. The DBUS
> > > daemon object manager logs a lot of stuff to /var/log/messages instead
> > > of /var/log/audit/audit.log.
> > >
> > > I could for example imagine kismet wanting to send dbus msgs to
> > > network-manager or both dbus chatting to each other.
> > 
> > you are right:
> > type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81 
> > auid=4294967295 ses=4294967295 
> > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied 
> > { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager 
> > member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850 
> > scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023 
> > tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus : 
> > exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> > 
> > starting kismet in enforcing mode gives me:
> > NOTICE: configdir '/root/' does not exist, making it.
> > FATAL:  Could not make configdir: File exists
> > 
> > Before adding more homemade rules:
> > I'm wondering if all other kismet users are turning off SELinux or if I 
> > have a special setup where the default rules of the kismet 1.2.0 module 
> > do not work?
> > Also because Dan mentioned [1] that he will add dbus rules to solve 
> > these denies.
> > The only thing that is non-standard in my config is the logtemplate 
> > configuration (see kismet.conf).
> > 
> > [1] 
> > http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html
> 
> Well a few things to consider here:
> 
> - not all wifi hardware work with kismet (mine doesnt)
> - in rhel it would run unconfined
> - fedora is a development platform and many devs run selinux in
> permissive mode unfortunatly (they focus on developing and care less
> about security)
> 
> 
> Obviously there are still bugs in you kismet policy: consider reporting
> to bugzilla.redhat.com/selinux-policy
> 
> A fix for the above issue would be:
> 
> networkmanager_dbus_chat(kismet.te)

make that:

networkmanager_dbus_chat(kismet_t)
> 
> You would add that to you mykismet.te file and rebuild/reinstall the
> mykismet.pp
> 
> However it may be that the above interface call is a bit too coarse
> since it allows two way chatting and the above denial only reports that
> kismet want to send_msg to network-manager.
> 
> So in that case a new interface should be added to networkmanager.if:
> 
> networkmanager_send_dbus_msg()
> 
> 
> > thanks
> > Christoph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090705/4f6a4688/attachment.sig>

More information about the fedora-selinux-list mailing list