Does NetworkManager_t domain need SYS_ADMIN capabilities?

[pasweistorz]

Hi,

we're using NetworkManager 1.50.0 and wpa-supplicant 2.11 and hit the following denial:

type=AVC msg=audit(1741271919.256:65): avc:  denied  { sys_admin } for  pid=1017 comm="wpa_supplicant" capability=21  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1741271919.256:65): avc:  denied  { sys_admin } for  pid=1017 comm="wpa_supplicant" capability=21  scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability permissive=0
type=SYSCALL msg=audit(1741271919.256:65): arch=c00000b7 syscall=208 success=yes exit=0 a0=c a1=1 a2=1a a3=aaaac6039a20 items=0 ppid=1 pid=1017 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="wpa_supplicant" exe="/usr/sbin/wpa_supplicant" subj=system_u:system_r:NetworkManager_t:s0 key=(null)ARCH=aarch64 SYSCALL=setsockopt AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

As we're building wpa-supplicant from sources I experimented a bit and made some changes to it. If I comment out the two calls to setsockopt in the file https://git.w1.fi/cgit/hostap/tree/src/l2_packet/l2_packet_linux.c, which try to attach some filters to the socket, the denial disappears.

So, the question for me is if the NetworkManager_t domain really lacks SYS_ADMIN capabilities, or if we need to change something in our setup?

Thanks.

Pascal

[pebenito]

I can't say for sure how necessary sys_admin is. The Fedora policy has had it for a long time, but it doesn't look like its ever been in refpolicy.