Bug 1117674
| Summary: | AVC denials in bitlbee 3.2.2 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Krzesimir Nowak <qdlacz> |
| Component: | bitlbee | Assignee: | Robert Scheck <redhat-bugzilla> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | mcepl, mcepl, mgrepl, redhat-bugzilla |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bitlbee-3.2.2-3.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-07-30 21:56:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
IMHO that should be allowed by selinux-policy-targeted because BitlBee can be build with libpurple support - which seems to cause this issue somehow. More AVC denials. Still empty names.
SELinux is preventing /usr/sbin/bitlbee from write access on the sock_file .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bitlbee should be allowed write access on the sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:bitlbee_t:s0
Target Context system_u:object_r:system_dbusd_var_run_t:s0
Target Objects [ sock_file ]
Source bitlbee
Source Path /usr/sbin/bitlbee
Port <Unknown>
Host localhost.localdomain
Source RPM Packages bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.15.3-200.fc20.x86_64
#1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-07-09 10:11:25 CEST
Last Seen 2014-07-09 10:11:25 CEST
Local ID 501a25f9-c1c8-4b42-8b75-1d10bd8e6423
Raw Audit Messages
type=AVC msg=audit(1404893485.538:465): avc: denied { write } for pid=6155 comm="bitlbee" name="system_bus_socket" dev="tmpfs" ino=17945 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
type=SYSCALL msg=audit(1404893485.538:465): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff2c31bb50 a2=21 a3=7fff2c31b900 items=0 ppid=1 pid=6155 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)
Hash: bitlbee,bitlbee_t,system_dbusd_var_run_t,sock_file,write
SELinux is preventing /usr/sbin/bitlbee from connectto access on the unix_stream_socket .
***** Plugin catchall (100. confidence) suggests **************************
If you believe that bitlbee should be allowed connectto access on the unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:bitlbee_t:s0
Target Context system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Objects [ unix_stream_socket ]
Source bitlbee
Source Path /usr/sbin/bitlbee
Port <Unknown>
Host localhost.localdomain
Source RPM Packages bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain 3.15.3-200.fc20.x86_64
#1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count 1
First Seen 2014-07-09 10:13:15 CEST
Last Seen 2014-07-09 10:13:15 CEST
Local ID 89117187-4647-4a78-af1e-1a4fa664403e
Raw Audit Messages
type=AVC msg=audit(1404893595.555:472): avc: denied { connectto } for pid=6231 comm="bitlbee" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=SYSCALL msg=audit(1404893595.555:472): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff46bd7030 a2=21 a3=7fff46bd6de0 items=0 ppid=1 pid=6231 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)
Hash: bitlbee,bitlbee_t,system_dbusd_t,unix_stream_socket,connectto
And a te file with a fix:
module bitlbee-fix 1.0;
require {
type bitlbee_var_t;
type system_dbusd_var_run_t;
type bitlbee_t;
type system_dbusd_t;
class sock_file write;
class unix_stream_socket connectto;
class dir { create search };
}
#============= bitlbee_t ==============
allow bitlbee_t bitlbee_var_t:dir create;
allow bitlbee_t system_dbusd_t:unix_stream_socket connectto;
allow bitlbee_t system_dbusd_var_run_t:dir search;
allow bitlbee_t system_dbusd_var_run_t:sock_file write;
Yes, could you please clone this bug? In general yes, but from what I got from upstream we should better switch to BitlBee forkdaemon mode. So let's wait till we are able to do that. The libpurple is anyway problematic without forkdaemon (sorry, mixed them up) so I will have to cause non-libpurple builds for Fedora - that makes the issue disappearing for regular users again. bitlbee-3.2.2-1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/FEDORA-2014-8126/bitlbee-3.2.2-1.fc19 bitlbee-3.2.2-2.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/FEDORA-2014-8129/bitlbee-3.2.2-2.fc20 Package bitlbee-3.2.2-2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing bitlbee-3.2.2-2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-8126/bitlbee-3.2.2-2.fc19 then log in and leave karma (feedback). bitlbee-3.2.2-3.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. bitlbee-3.2.2-3.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: Every time I identify myself I'm getting two AVC denials. Everything works otherwise, but it is still annoying to see them everytime. Version-Release number of selected component (if applicable): 3.2.2 How reproducible: Just identify myself to be able to join some jabber conference room. Steps to Reproduce: 1. When connecting to bitlbee service, root will ask you to identify yourself. 2. Type "identify <yournick>" 3. AVC denials show up. Actual results: AVC denials show up. Expected results: No AVC denials. Additional info: Denials are about some directory search/creation which happens to be have path "" (empty). SELinux is preventing /usr/sbin/bitlbee from search access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bitlbee should be allowed search access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:bitlbee_t:s0 Target Context system_u:object_r:system_dbusd_var_run_t:s0 Target Objects [ dir ] Source bitlbee Source Path /usr/sbin/bitlbee Port <Unknown> Host localhost.localdomain Source RPM Packages bitlbee-3.2.2-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-176.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.15.3-200.fc20.x86_64 #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64 Alert Count 4 First Seen 2014-07-08 11:19:38 CEST Last Seen 2014-07-09 09:30:52 CEST Local ID 6ed17827-c028-4093-8b30-7a3f5899d15e Raw Audit Messages type=AVC msg=audit(1404891052.967:447): avc: denied { search } for pid=946 comm="bitlbee" name="dbus" dev="tmpfs" ino=17944 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir type=SYSCALL msg=audit(1404891052.967:447): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff109d26e0 a2=21 a3=7fff109d2490 items=0 ppid=1 pid=946 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) Hash: bitlbee,bitlbee_t,system_dbusd_var_run_t,dir,search SELinux is preventing /usr/sbin/bitlbee from create access on the directory . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that bitlbee should be allowed create access on the directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:bitlbee_t:s0 Target Context system_u:object_r:bitlbee_var_t:s0 Target Objects [ dir ] Source bitlbee Source Path /usr/sbin/bitlbee Port <Unknown> Host localhost.localdomain Source RPM Packages bitlbee-3.2.2-1.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-176.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name localhost.localdomain Platform Linux localhost.localdomain 3.15.3-200.fc20.x86_64 #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64 Alert Count 13 First Seen 2014-07-08 11:19:38 CEST Last Seen 2014-07-09 09:35:59 CEST Local ID a67de085-9552-4f99-b691-a68262e9fb5a Raw Audit Messages type=AVC msg=audit(1404891359.970:451): avc: denied { create } for pid=946 comm="bitlbee" name="purple" scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:bitlbee_var_t:s0 tclass=dir type=SYSCALL msg=audit(1404891359.970:451): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f5a27831b10 a1=1c0 a2=ffffffffffffff60 a3=7f5a246ef7b8 items=0 ppid=1 pid=946 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) Hash: bitlbee,bitlbee_t,bitlbee_var_t,dir,create I fixed that myself by installing an additional policy, but that shouldn't be needed.