On Sun, 2009-07-05 at 21:16 +0200, Dominick Grift wrote:
> On Sun, 2009-07-05 at 20:59 +0200, Christoph A. wrote:
> > >> make -f /usr/share/selinux/devel/Makefile mykismet.pp
> > >>> sudo semodule -i mykismet.po
> >
> > the module was loaded successfull:
> >
> > semodule -l|grep myk
> > mykismet 0.0.1
> >
> >
> > > By the way you might need to give it even more permissions. The DBUS
> > > daemon object manager logs a lot of stuff to /var/log/messages instead
> > > of /var/log/audit/audit.log.
> > >
> > > I could for example imagine kismet wanting to send dbus msgs to
> > > network-manager or both dbus chatting to each other.
> >
> > you are right:
> > type=USER_AVC msg=audit(1246817621.469:1260): user pid=1652 uid=81
> > auid=4294967295 ses=4294967295
> > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied
> > { send_msg } for msgtype=signal interface=org.freedesktop.NetworkManager
> > member=sleep dest=org.freedesktop.NetworkManager spid=18051 tpid=1850
> > scontext=unconfined_u:unconfined_r:kismet_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus :
> > exe="/bin/dbus-daemon" (sauid=81, hostname=?, addr=?, terminal=?)'
> >
> > starting kismet in enforcing mode gives me:
> > NOTICE: configdir '/root/' does not exist, making it.
> > FATAL: Could not make configdir: File exists
> >
> > Before adding more homemade rules:
> > I'm wondering if all other kismet users are turning off SELinux or if I
> > have a special setup where the default rules of the kismet 1.2.0 module
> > do not work?
> > Also because Dan mentioned [1] that he will add dbus rules to solve
> > these denies.
> > The only thing that is non-standard in my config is the logtemplate
> > configuration (see kismet.conf).
> >
> > [1]
> > http://www.linux-archive.org/fedora-selinux-support/195736-further-selinux-kismet.html
>
> Well a few things to consider here:
>
> - not all wifi hardware work with kismet (mine doesnt)
> - in rhel it would run unconfined
> - fedora is a development platform and many devs run selinux in
> permissive mode unfortunatly (they focus on developing and care less
> about security)
>
>
> Obviously there are still bugs in you kismet policy: consider reporting
> to bugzilla.redhat.com/selinux-policy
>
> A fix for the above issue would be:
>
> networkmanager_dbus_chat(kismet.te)
make that:
networkmanager_dbus_chat(kismet_t)
>
> You would add that to you mykismet.te file and rebuild/reinstall the
> mykismet.pp
>
> However it may be that the above interface call is a bit too coarse
> since it allows two way chatting and the above denial only reports that
> kismet want to send_msg to network-manager.
>
> So in that case a new interface should be added to networkmanager.if:
>
> networkmanager_send_dbus_msg()
>
>
> > thanks
> > Christoph
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
