Bug 505073

Summary: SELinux is preventing bitlbee (bitlbee_t) "read" etc_runtime_t.
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mcepl, mcepl, mgrepl, redhat-bugzilla
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-06-12 11:44:31 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2009-06-10 15:26:34 UTC
Souhrn:

SELinux is preventing bitlbee (bitlbee_t) "read" etc_runtime_t.

Podrobný popis:

SELinux denied access requested by bitlbee. It is not expected that this access
is required by bitlbee and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:bitlbee_t:s0-s0:c0.c1023
Kontext cíle                 system_u:object_r:etc_runtime_t:s0
Objekty cíle                 hosts [ file ]
Zdroj                         bitlbee
Cesta zdroje                  /usr/sbin/bitlbee
Port                          <Neznámé>
Počítač                    bradford
RPM balíčky zdroje          bitlbee-1.2.3-2.fc11
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.6.12-45.fc11
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall
Název počítače            bradford
Platforma                     Linux bradford 2.6.29.4-167.fc11.x86_64 #1 SMP Wed
                              May 27 17:27:08 EDT 2009 x86_64 x86_64
Počet upozornění           4
Poprvé viděno               Po 8. červen 2009, 20:46:33 CEST
Naposledy viděno             St 10. červen 2009, 17:02:20 CEST
Místní ID                   d821d57e-5245-4dde-aa78-9b4821b2245d
Čísla řádků              

Původní zprávy auditu      

node=bradford type=AVC msg=audit(1244646140.321:527): avc:  denied  { read } for  pid=15823 comm="bitlbee" name="hosts" dev=dm-1 ino=9583 scontext=system_u:system_r:bitlbee_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file

node=bradford type=SYSCALL msg=audit(1244646140.321:527): arch=c000003e syscall=2 success=no exit=-13 a0=7f114b0d7b60 a1=80000 a2=1b6 a3=238 items=0 ppid=22689 pid=15823 auid=4294967295 uid=490 gid=482 euid=490 suid=490 fsuid=490 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0-s0:c0.c1023 key=(null)

Comment 1 Robert Scheck 2009-06-10 15:59:45 UTC
Re-assigning to Daniel...I think, this is your turn here. Otherwise please
let me know. Thank you.

Comment 2 Daniel Walsh 2009-06-10 17:29:30 UTC
Matej, 
What created the /etc/hosts file. it is mislabeled.  restorecon /etc/hosts will fix.

Comment 3 Matěj Cepl 2009-06-10 21:32:51 UTC
(In reply to comment #2)
> Matej, 
> What created the /etc/hosts file. it is mislabeled.  restorecon /etc/hosts will
> fix.  

Hmm, why don't I have on this very default Fedora 11 install /etc/hosts in /etc/selinux/restorecond.conf and why don't I have to put chkconfig restoecond on?

Comment 4 Daniel Walsh 2009-06-11 15:52:00 UTC
restorecond is not needed by default.   But some process/init script rewrote the /etc/hosts file and I would like to make sure this script fixes the label when it is done.

Comment 5 Matěj Cepl 2009-06-11 23:08:52 UTC
(In reply to comment #4)
> restorecond is not needed by default.   But some process/init script rewrote
> the /etc/hosts file and I would like to make sure this script fixes the label
> when it is done.  

I think wrong label happened by mv from backups ... I have installed totally clean system on clean hard drive (actually I got new computer from RH) and refreshed files in /etc only on as-needed basis form backups. Apparently I did dreader mv instead of cp.

Comment 6 Daniel Walsh 2009-06-12 11:44:31 UTC
I also changed policy to allow all domains that can read etc_t to be able to read etc_runtime_t.  etc_runtime_t is created by init scripts editing /etc files.  The security difference between an etc_runtime_t and an etc_t is very limited, and init scripts can run restorecon to fix etc_runtime_t to etc_t.  

This means they are securitywise equivalent labels.

Fixed in selinux-policy-3.6.14-3.fc12
selinux-policy-3.6.12-49.fc11