Bug 698559

Summary: SELinux is preventing /usr/libexec/telepathy-sofiasip from name_bind access on the tcp_socket port
Product: [Fedora] Fedora Reporter: Robert Swain <robert.swain>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: domg444, dwalsh, mgrepl
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-18.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-02 03:39:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Swain 2011-04-21 08:48:00 UTC 
Description of problem:

SELinux is preventing /usr/libexec/telepathy-sofiasip from name_bind access on the tcp_socket port 17267.

*****  Plugin bind_ports (92.2 confidence) suggests  *************************

If you want to allow /usr/libexec/telepathy-sofiasip to bind to network port 17267
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 17267
    where PORT_TYPE is one of the following: .

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'allow_ypbind' boolean.
Do
setsebool -P allow_ypbind 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that telepathy-sofiasip should be allowed name_bind access on the port 17267 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep telepathy-sofia /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:telepathy_sofiasip_t:s0-
                              s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                port 17267 [ tcp_socket ]
Source                        telepathy-sofia
Source Path                   /usr/libexec/telepathy-sofiasip
Port                          17267
Host                          minx.workgroup
Source RPM Packages           telepathy-sofiasip-0.7.1-2.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     minx.workgroup
Platform                      Linux minx.workgroup 2.6.38.2-9.fc15.x86_64 #1 SMP
                              Wed Mar 30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   27
First Seen                    Wed 20 Apr 2011 11:19:46 CEST
Last Seen                     Thu 21 Apr 2011 10:39:16 CEST
Local ID                      f933977e-3b91-4ca2-a550-310084a525d2

Raw Audit Messages
type=AVC msg=audit(1303375156.536:78): avc:  denied  { name_bind } for  pid=32356 comm="telepathy-sofia" src=17267 scontext=unconfined_u:unconfined_r:telepathy_sofiasip_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1303375156.536:78): arch=x86_64 syscall=bind success=no exit=EACCES a0=9 a1=7fff789dd9f0 a2=10 a3=7fff789dd63c items=0 ppid=1 pid=32356 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=telepathy-sofia exe=/usr/libexec/telepathy-sofiasip subj=unconfined_u:unconfined_r:telepathy_sofiasip_t:s0-s0:c0.c1023 key=(null)

Hash: telepathy-sofia,telepathy_sofiasip_t,port_t,tcp_socket,name_bind

audit2allow

#============= telepathy_sofiasip_t ==============
#!!!! This avc is allowed in the current policy

allow telepathy_sofiasip_t port_t:tcp_socket name_bind;

audit2allow -R

#============= telepathy_sofiasip_t ==============
#!!!! This avc is allowed in the current policy

allow telepathy_sofiasip_t port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Configure a SIP account in Empathy using telepathy-sofiasip
2. Try to connect
3. Observe the issue
  
Actual results:

Connection fails. SELinux warns as pasted above but for a different port every time.

Expected results:

Connection succeeds.
Comment 1 Robert Swain 2011-04-21 09:16:36 UTC 
This is preventing me from making business calls using Empathy/telepathy-sofiasip when I should be able to as I know this software works well for SIP calls.

I have tried some of the workarounds:

setsebool -P allow_ypbind 1

Which lead to another SELinux message about name_bind to a raw socket or something like that and suggested I do the following:

grep telepathy-sofia /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

This didn't work either. I found ticket #633788 and specifically the discussion in comment 11 [1] seemed to suggest that Dominick Grift is aware of the issue with SIP needing access to various ports and only wanted to block it for haze because haze's SIP support was to be disabled in telepathy anyway.

Is there some functional workaround I can implement to allow me to use SIP as intended in telepathy-sofiasip?

[1] https://bugzilla.redhat.com/show_bug.cgi?id=633788#c11
Comment 2 Miroslav Grepl 2011-04-21 10:15:32 UTC 
Tthe transition from unconfined to telepathy_sofiasip_t domain will remove in the next release. A new build/update should be available today.

You can use permissive domain as workaround

# semanage permissive -a telepathy_sofiasip_t


After that could you add AVC msgs which you will see.
Comment 3 Miroslav Grepl 2011-04-21 14:59:30 UTC 
Fixed in selinux-policy-3.9.16-16.fc15
Comment 4 Fedora Update System 2011-04-21 15:05:14 UTC 
selinux-policy-3.9.16-16.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15
Comment 5 Robert Swain 2011-04-21 20:11:37 UTC 
Tested the koji builds. They work just fine, thanks for the swift solution.
Comment 6 Fedora Update System 2011-04-22 00:16:26 UTC 
Package selinux-policy-3.9.16-16.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-16.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-16.fc15
then log in and leave karma (feedback).
Comment 7 Robert Swain 2011-04-28 13:29:54 UTC 
After I tried -16 from koji, the first time it worked OK, but after suspend/resume or rebooting or restarting the app, the next time I tried to connect to the SIP server, it gave the same name_bind issue.

I am now using -19 and when I installed it, it allowed me to connect to the SIP server, but now again it fails to connect and in the Empathy debug logs I see the same telepathy socket opening issues.

For me at the moment, the only consistent and reliable way to have working SIP with Empathy in Fedora 15 is to disable SELinx entirely which is not the desired outcome so I'm reporting back here again.
Comment 8 Robert Swain 2011-04-28 13:42:40 UTC 
(In reply to comment #7)
> I am now using -19 and when I installed it, it allowed me to connect to the SIP
> server, but now again it fails to connect and in the Empathy debug logs I see
> the same telepathy socket opening issues.

Oops, it seems I am using -18 but it still does not work as described.
Comment 9 Miroslav Grepl 2011-04-28 13:50:00 UTC 
You mean this issue

type=AVC msg=audit(1303375156.536:78): avc:  denied  { name_bind } for 
pid=32356 comm="telepathy-sofia" src=17267
scontext=unconfined_u:unconfined_r:telepathy_sofiasip_t:s0-s0:c0.c1023
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Comment 10 Robert Swain 2011-04-28 14:04:51 UTC 
For some reason I am no longer receiving the SELinux notifications about such issues. As mentioned, I did disable (due to wanting SIP to work) and re-enable (due to deciding that I should try harder to help get the problem fixed) SELinux via /etc/selinux/config and rebooting.

However, when trying to connect the SIP account in Empathy with the Empathy debugger open and with the telepathy-sofiasip module selected, connection fails and there are lots and lots of messages about not being able to connect various ports. For example:

tpsip/sofia-DEBUG: 28/04/11 16:03:22.893950: tport_bind_server(0x18fcc50): cannot bind all transports to port 34724, trying 24271

It does this, iterating over different port numbers until it decides it will not succeed. Note that I have also disabled the software firewall to rule that out.

If I can get more useful information for you, please ask.
Comment 11 Miroslav Grepl 2011-04-28 17:54:33 UTC 
Dominick,
did you deal with this issue?

I see we have

corenet_udp_bind_all_ports(telepathy_sofiasip_t)
Comment 12 Daniel Walsh 2011-04-28 19:04:05 UTC 
This looks like we might need to do what we do with ftp.

corenet_tcp_bind_all_unreserved_ports(telepathy_sofiasip_t)
corenet_dontaudit_tcp_bind_all_ports(telepathy_sofiasip_t)
Comment 13 Fedora Update System 2011-04-28 19:07:06 UTC 
Package selinux-policy-3.9.16-18.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-18.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-18.fc15
then log in and leave karma (feedback).
Comment 14 Robert Swain 2011-04-29 08:56:45 UTC 
I am already using selinux-policy-3.9.16-18.fc15 but telepathy-sofiasip, despite the firewall being disabled, is still showing that it cannot bind transports to the desired port so then it proceeds to try a different port and repeats. I don't see any SELinux warning about it, so perhaps it is a different issue.
Comment 15 Daniel Walsh 2011-04-29 13:58:24 UTC 
Right my latest fixes that I suggested for Miroslav have not been pushed yet.
Comment 16 Fedora Update System 2011-05-02 03:38:39 UTC 
selinux-policy-3.9.16-18.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Robert Swain 2011-05-02 06:41:49 UTC 
Considering comment 15 and that this is not yet fixed, I guess this should not have been closed.
Comment 18 Miroslav Grepl 2011-05-02 07:24:09 UTC 
Yes, the Update System closed this bug automatically.
Comment 19 Miroslav Grepl 2011-05-02 11:31:23 UTC 
Fixed in selinux-policy-3.9.16-21.fc15.

The build is available from koji for now

http://koji.fedoraproject.org/koji/buildinfo?buildID=242046
Comment 20 Fedora End Of Life 2012-08-06 20:07:55 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 21 Fedora End Of Life 2012-08-06 20:07:55 UTC 
This message is a notice that Fedora 15 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 15. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 15 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping