Bug 2222222
| Summary: | the bitlbee service triggers SELinux denials when a client connects | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Milos Malik <mmalik> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 38 | CC: | dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | x86_64 | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | selinux-policy-38.22-1.fc38 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2222434 (view as bug list) | Environment: | ||
| Last Closed: | 2023-08-01 02:49:13 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2222434 | |||
|
Description
Milos Malik
2023-07-12 09:54:05 UTC
When the bitlbee is started for the first time, the following SELinux denial appears:
----
type=PROCTITLE msg=audit(07/12/2023 09:14:46.657:845) : proctitle=/usr/sbin/bitlbee -F -n
type=PATH msg=audit(07/12/2023 09:14:46.657:845) : item=0 name=/var/lib/bitlbee/ inode=278675 dev=fc:02 mode=dir,750 ouid=bitlbee ogid=bitlbee rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(07/12/2023 09:14:46.657:845) : cwd=/
type=SYSCALL msg=audit(07/12/2023 09:14:46.657:845) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55f41fe27160 a1=W_OK a2=0x55f41fe325f0 a3=0xa0 items=1 ppid=1 pid=10224 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(07/12/2023 09:14:46.657:845) : avc: denied { dac_override } for pid=10224 comm=bitlbee capability=dac_override scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability permissive=0
----
The following commands can be used to prevent the SELinux denial from appearing again:
# chmod 770 /var/lib/bitlbee
# chown bitlbee:root /var/lib/bitlbee
This is not the final policy, but makes the service working: # cat local_bitlbee.cil (allow bitlbee_t bin_t (file (execute execute_no_trans map))) (allow bitlbee_t bitlbee_var_t (lnk_file (create read))) (allow bitlbee_t bitlbee_var_t (file (map))) (allow bitlbee_t dri_device_t (chr_file (getattr))) (allow bitlbee_t fs_t (filesystem (getattr))) (allow bitlbee_t bitlbee_t (netlink_kobject_uevent_socket (bind create getattr setopt))) (allow bitlbee_t sysfs_t (dir (read))) (allow bitlbee_t sysfs_t (file (getattr open read))) (allow bitlbee_t sysfs_t (lnk_file (read))) (allow bitlbee_t tmpfs_t (file (getattr map read write))) Additionally, I used this service drop-in: [Service] User=bitlbee Group=bitlbee I am going to clone this bz to make the change in bitlbee. FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3 FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report. |