Bug 692513

Summary: SELinux is preventing /usr/libexec/telepathy-gabble from 'remove_name' accesses on the directory caps-cache.db-journal.
Product: [Fedora] Fedora Reporter: Jóhann B. Guðmundsson <johannbg>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: archawka, domg444, dominick.grift, dwalsh, hedayaty, mgrepl, phdoerfler
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:1c488edbc730a6e996e22228b916f644351596a52e1cfe58a2e24f61f7e299f1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-31 20:01:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jóhann B. Guðmundsson 2011-03-31 13:05:34 UTC 
SELinux is preventing /usr/libexec/telepathy-gabble from 'remove_name' accesses on the directory caps-cache.db-journal.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that telepathy-gabble should be allowed remove_name access on the caps-cache.db-journal directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep telepathy-gabbl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:telepathy_gabble_t:s0-s0
                              :c0.c1023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                caps-cache.db-journal [ dir ]
Source                        telepathy-gabbl
Source Path                   /usr/libexec/telepathy-gabble
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           telepathy-gabble-0.11.8-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-6.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux valhalla.rhi.hi.is 2.6.38.2-9.fc15.x86_64 #1
                              SMP Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Thu 31 Mar 2011 12:44:23 PM GMT
Last Seen                     Thu 31 Mar 2011 12:44:23 PM GMT
Local ID                      f1590c6d-3b1e-4699-8247-e00a5574d13a

Raw Audit Messages
type=AVC msg=audit(1301575463.996:312): avc:  denied  { remove_name } for  pid=30049 comm="telepathy-gabbl" name="caps-cache.db-journal" dev=dm-3 ino=2228740 scontext=unconfined_u:unconfined_r:telepathy_gabble_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir


type=AVC msg=audit(1301575463.996:312): avc:  denied  { unlink } for  pid=30049 comm="telepathy-gabbl" name="caps-cache.db-journal" dev=dm-3 ino=2228740 scontext=unconfined_u:unconfined_r:telepathy_gabble_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1301575463.996:312): arch=x86_64 syscall=unlink success=yes exit=0 a0=110626f a1=110626f a2=0 a3=0 items=0 ppid=1 pid=30049 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=telepathy-gabbl exe=/usr/libexec/telepathy-gabble subj=unconfined_u:unconfined_r:telepathy_gabble_t:s0-s0:c0.c1023 key=(null)

Hash: telepathy-gabbl,telepathy_gabble_t,user_home_t,dir,remove_name

audit2allow

#============= telepathy_gabble_t ==============
allow telepathy_gabble_t user_home_t:dir remove_name;
allow telepathy_gabble_t user_home_t:file unlink;

audit2allow -R

#============= telepathy_gabble_t ==============
allow telepathy_gabble_t user_home_t:dir remove_name;
allow telepathy_gabble_t user_home_t:file unlink;
Comment 1 Daniel Walsh 2011-03-31 13:10:07 UTC 
Where is  caps-cache.db-journal in your homedir.  Could you run restorecon -R -v ~/

And see if this changes any labels related to this avc?
Comment 2 Jóhann B. Guðmundsson 2011-03-31 13:41:26 UTC 
/home/johannbg/.cache/wocky/caps/caps-cache.db is what I find 

Looks like a change compare to F14 in telepathy.. 

/share/F14Backup/johannbg/.cache/telepathy/gabble/caps-cache.db
Comment 3 Daniel Walsh 2011-03-31 13:51:09 UTC 
What is the wocky and caps directory?
Comment 4 Dominick Grift 2011-03-31 14:03:09 UTC 
I am not sure about wocky (must be new in fedora 15's gabble), but caps is confirmed here:

ls -alZ ~/.cache/telepathy/gabble
drwxr-xr-x. dgrift dgrift staff_u:object_r:tp_gabble_cache_home_t:s0 .
drwx------. dgrift dgrift staff_u:object_r:tp_cache_home_t:s0 ..
-rw-r--r--. dgrift dgrift staff_u:object_r:tp_gabble_cache_home_t:s0 caps-cache.db

logger also dumps stuff in ~/.cache/telepathy:

ls -alZ ~/.cache/telepathy/
drwx------. dgrift dgrift staff_u:object_r:tp_cache_home_t:s0 .
drwx------. dgrift dgrift staff_u:object_r:cache_home_t:s0 ..
drwx------. dgrift dgrift staff_u:object_r:empathy_cache_home_t:s0 avatars
drwxr-xr-x. dgrift dgrift staff_u:object_r:tp_gabble_cache_home_t:s0 gabble
drwx------. dgrift dgrift staff_u:object_r:tp_logger_cache_home_t:s0 logger

HOME_DIR/\.mission-control(/.*)?	gen_context(system_u:object_r:tp_mission_control_home_t,s0)
HOME_DIR/\.cache/\.mc_connections	--	gen_context(system_u:object_r:tp_mission_control_cache_home_t,s0)
HOME_DIR/\.cache/telepathy(/.*)?		gen_context(system_u:object_r:tp_cache_home_t,s0)
HOME_DIR/\.cache/telepathy/gabble(/.*)?		gen_context(system_u:object_r:tp_gabble_cache_home_t,s0)
HOME_DIR/\.cache/telepathy/logger(/.*)?		gen_context(system_u:object_r:tp_logger_cache_home_t,s0)
HOME_DIR/\.local/share/TpLogger(/.*)?	gen_context(system_u:object_r:tp_logger_data_home_t,s0)

Question is: Why is ~/.cache labelled user_home_t instead of cache_home_t in this bugzilla.
Comment 5 Dominick Grift 2011-03-31 14:09:55 UTC 
Looks like some labelling issue at the least (user_home_t vs. cache_home_t)

Looks like the home directory is in a different location?

/share/F14Backup/johannbg/.cache/

Might be related to restorecond -u.
Comment 6 Jóhann B. Guðmundsson 2011-03-31 14:14:39 UTC 
"Wocky: an XMPP library that is built entirely asynchronously, makes it easier to provide more modern XMPP features, and takes advantage of the latest GLib features, such as gnio. Wocky source is directly in the gabble tree (via a git submodule). "

http://telepathy.freedesktop.org/wiki/Components
Comment 7 Dominick Grift 2011-03-31 14:16:11 UTC 
Avc denial makes perfect sense. Telepathy is not allowed to delete generic user
home content.

Let alone manage it.

So, some labelling issue must have occurred between creation of these objects
and this event of deleting.
Comment 8 Dominick Grift 2011-03-31 14:23:17 UTC 
There is wocky support in Fedora.

You have a labelling issue i suspect. Restorecon -R -v ~/.cache should fix it.
This labelling issue was not there before, because if it were, then gabble would not be able to create these files in the first place.
Comment 9 Jóhann B. Guðmundsson 2011-03-31 14:29:37 UTC 
This is a fresh beta-tc1 install as of this morning fully updated in permissive mode. 

I've been unsuccessful in recreating the denial after restorecon ( quit empathy and started it again ) perhaps this got triggered when setting up the googletalk account.
Comment 10 Daniel Walsh 2011-03-31 20:01:59 UTC 
Ok if it happens again please reopen.