Bug 651384

Summary: SELinux is preventing /usr/sbin/bitlbee "setsched" access .
Product: [Fedora] Fedora Reporter: Matěj Cepl <mcepl>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 14CC: dwalsh, mcepl, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:01d851f59abf38c5851294a55f2c80b10a552fb9459329a3db599fcfc4595938
Fixed In Version: selinux-policy-3.9.7-10.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-11 22:17:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matěj Cepl 2010-11-09 13:13:31 UTC 
Souhrn:

SELinux is preventing /usr/sbin/bitlbee "setsched" access .

Podrobný popis:

[SELinux je v tolerantním režimu. Přístup byl povolen.]

SELinux denied access requested by bitlbee. It is not expected that this access
is required by bitlbee and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                unconfined_u:system_r:bitlbee_t:s0-s0:c0.c1023
Kontext cíle                  unconfined_u:system_r:bitlbee_t:s0-s0:c0.c1023
Objekty cíle                  None [ process ]
Zdroj                         bitlbee
Cesta zdroje                  /usr/sbin/bitlbee
Port                          <Neznámé>
Počítač                       (odstraněno)
RPM balíčky zdroje            bitlbee-3.0-1.nss.1.fc15
RPM balíčky cíle              
RPM politiky                  selinux-policy-3.9.7-7.fc14
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim              Permissive
Název zásuvného modulu        catchall
Název počítače                (odstraněno)
Platforma                     Linux (odstraněno) 2.6.35.6-48.fc14.x86_64 #1 SMP Fri
                              Oct 22 15:36:08 UTC 2010 x86_64 x86_64
Počet upozornění              1
Poprvé viděno                 Út 9. listopad 2010, 09:25:57 CET
Naposledy viděno              Út 9. listopad 2010, 09:25:57 CET
Místní ID                     bc50e054-597e-4e3b-979d-c965ba6c91bb
Čísla řádků                   

Původní zprávy auditu         

node=(odstraněno) type=AVC msg=audit(1289291157.129:11921): avc:  denied  { setsched } for  pid=11436 comm="bitlbee" scontext=unconfined_u:system_r:bitlbee_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:bitlbee_t:s0-s0:c0.c1023 tclass=process

node=(odstraněno) type=SYSCALL msg=audit(1289291157.129:11921): arch=c000003e syscall=144 success=yes exit=0 a0=2cac a1=0 a2=7fffd6521e40 a3=1 items=0 ppid=3819 pid=11436 auid=500 uid=493 gid=489 euid=493 suid=493 fsuid=493 egid=489 sgid=489 fsgid=489 tty=(none) ses=1 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=unconfined_u:system_r:bitlbee_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,bitlbee,bitlbee_t,bitlbee_t,process,setsched
audit2allow suggests:

#============= bitlbee_t ==============
allow bitlbee_t self:process setsched;
Comment 1 Matěj Cepl 2010-11-09 13:18:05 UTC 
This is a development version of bitlbee using NSS (the packaged one in Fedora uses OpenSSL or GNUTLS). I would love to use bitlbee-with-NSS in Fedora, but it generates this AVC. The backtrace is

Catchpoint 1 (call to syscall 'sched_setscheduler'), 0x00000032e74cb3b7 in sched_setscheduler () at ../sysdeps/unix/syscall-template.S:82
82	T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) bt
#0  0x00000032e74cb3b7 in sched_setscheduler ()
    at ../sysdeps/unix/syscall-template.S:82
#1  0x00000032e7808401 in __pthread_setschedparam (threadid=140737353938720, 
    policy=0, param=<value optimized out>) at pthread_setschedparam.c:58
#2  0x00000032f6c29222 in PR_SetThreadPriority (thred=0x899d70, newPri=
    PR_PRIORITY_NORMAL)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:708
#3  0x00000032f6c2956a in _PR_InitThreads (type=PR_USER_THREAD, priority=
    PR_PRIORITY_NORMAL, maxPTDs=<value optimized out>)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:955
#4  0x00000032f6c1a5ca in _PR_InitStuff ()
    at ../../../mozilla/nsprpub/pr/src/misc/prinit.c:212
#5  0x00000000004298e8 in ssl_init ()
#6  0x0000000000421e61 in main ()
(gdb)
Comment 2 Daniel Walsh 2010-11-09 13:19:25 UTC 
Just add the access.
Comment 3 Miroslav Grepl 2010-11-10 08:42:34 UTC 
Fixed in selinux-policy-3.9.7-10.fc14
Comment 4 Fedora Update System 2010-11-10 15:55:35 UTC 
selinux-policy-3.9.7-10.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
Comment 5 Fedora Update System 2010-11-10 21:49:17 UTC 
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-10.fc14
Comment 6 Matěj Cepl 2010-11-10 23:11:19 UTC 
Just to confirm that the new version fixes my problem.
Comment 7 Miroslav Grepl 2010-11-11 08:14:51 UTC 
Matej,
could you update the karma.
Comment 8 Matěj Cepl 2010-11-11 16:06:52 UTC 
(In reply to comment #7)
> Matej,
> could you update the karma.

done. Thank you
Comment 9 Fedora Update System 2010-11-11 22:16:36 UTC 
selinux-policy-3.9.7-10.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.