Bug 1117674 - AVC denials in bitlbee 3.2.2
Summary: AVC denials in bitlbee 3.2.2
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bitlbee
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-09 08:03 UTC by Krzesimir Nowak
Modified: 2018-04-11 08:42 UTC (History)
4 users (show)

Fixed In Version: bitlbee-3.2.2-3.fc20
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-30 21:56:04 UTC


Attachments (Terms of Use)

Description Krzesimir Nowak 2014-07-09 08:03:55 UTC
Description of problem:
Every time I identify myself I'm getting two AVC denials. Everything works otherwise, but it is still annoying to see them everytime.

Version-Release number of selected component (if applicable):
3.2.2

How reproducible:
Just identify myself to be able to join some jabber conference room.

Steps to Reproduce:
1. When connecting to bitlbee service, root will ask you to identify yourself.
2. Type "identify <yournick>"
3. AVC denials show up.

Actual results:
AVC denials show up.

Expected results:
No AVC denials.

Additional info:


Denials are about some directory search/creation which happens to be have path "" (empty).


SELinux is preventing /usr/sbin/bitlbee from search access on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bitlbee should be allowed search access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bitlbee_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                 [ dir ]
Source                        bitlbee
Source Path                   /usr/sbin/bitlbee
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.15.3-200.fc20.x86_64
                              #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count                   4
First Seen                    2014-07-08 11:19:38 CEST
Last Seen                     2014-07-09 09:30:52 CEST
Local ID                      6ed17827-c028-4093-8b30-7a3f5899d15e

Raw Audit Messages
type=AVC msg=audit(1404891052.967:447): avc:  denied  { search } for  pid=946 comm="bitlbee" name="dbus" dev="tmpfs" ino=17944 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=dir


type=SYSCALL msg=audit(1404891052.967:447): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff109d26e0 a2=21 a3=7fff109d2490 items=0 ppid=1 pid=946 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)

Hash: bitlbee,bitlbee_t,system_dbusd_var_run_t,dir,search










SELinux is preventing /usr/sbin/bitlbee from create access on the directory .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bitlbee should be allowed create access on the  directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bitlbee_t:s0
Target Context                system_u:object_r:bitlbee_var_t:s0
Target Objects                 [ dir ]
Source                        bitlbee
Source Path                   /usr/sbin/bitlbee
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.15.3-200.fc20.x86_64
                              #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count                   13
First Seen                    2014-07-08 11:19:38 CEST
Last Seen                     2014-07-09 09:35:59 CEST
Local ID                      a67de085-9552-4f99-b691-a68262e9fb5a

Raw Audit Messages
type=AVC msg=audit(1404891359.970:451): avc:  denied  { create } for  pid=946 comm="bitlbee" name="purple" scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:bitlbee_var_t:s0 tclass=dir


type=SYSCALL msg=audit(1404891359.970:451): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=7f5a27831b10 a1=1c0 a2=ffffffffffffff60 a3=7f5a246ef7b8 items=0 ppid=1 pid=946 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)

Hash: bitlbee,bitlbee_t,bitlbee_var_t,dir,create





I fixed that myself by installing an additional policy, but that shouldn't be needed.

Comment 1 Robert Scheck 2014-07-09 08:14:03 UTC
IMHO that should be allowed by selinux-policy-targeted because BitlBee can
be build with libpurple support - which seems to cause this issue somehow.

Comment 2 Krzesimir Nowak 2014-07-09 08:19:22 UTC
More AVC denials. Still empty names.

SELinux is preventing /usr/sbin/bitlbee from write access on the sock_file .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bitlbee should be allowed write access on the  sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bitlbee_t:s0
Target Context                system_u:object_r:system_dbusd_var_run_t:s0
Target Objects                 [ sock_file ]
Source                        bitlbee
Source Path                   /usr/sbin/bitlbee
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.15.3-200.fc20.x86_64
                              #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-09 10:11:25 CEST
Last Seen                     2014-07-09 10:11:25 CEST
Local ID                      501a25f9-c1c8-4b42-8b75-1d10bd8e6423

Raw Audit Messages
type=AVC msg=audit(1404893485.538:465): avc:  denied  { write } for  pid=6155 comm="bitlbee" name="system_bus_socket" dev="tmpfs" ino=17945 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file


type=SYSCALL msg=audit(1404893485.538:465): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff2c31bb50 a2=21 a3=7fff2c31b900 items=0 ppid=1 pid=6155 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)

Hash: bitlbee,bitlbee_t,system_dbusd_var_run_t,sock_file,write






SELinux is preventing /usr/sbin/bitlbee from connectto access on the unix_stream_socket .

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that bitlbee should be allowed connectto access on the  unix_stream_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:bitlbee_t:s0
Target Context                system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
Target Objects                 [ unix_stream_socket ]
Source                        bitlbee
Source Path                   /usr/sbin/bitlbee
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           bitlbee-3.2.2-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-176.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.15.3-200.fc20.x86_64
                              #1 SMP Tue Jul 1 16:18:00 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-07-09 10:13:15 CEST
Last Seen                     2014-07-09 10:13:15 CEST
Local ID                      89117187-4647-4a78-af1e-1a4fa664403e

Raw Audit Messages
type=AVC msg=audit(1404893595.555:472): avc:  denied  { connectto } for  pid=6231 comm="bitlbee" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket


type=SYSCALL msg=audit(1404893595.555:472): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7fff46bd7030 a2=21 a3=7fff46bd6de0 items=0 ppid=1 pid=6231 auid=4294967295 uid=990 gid=989 euid=990 suid=990 fsuid=990 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null)

Hash: bitlbee,bitlbee_t,system_dbusd_t,unix_stream_socket,connectto





And a te file with a fix:
module bitlbee-fix 1.0;

require {
	type bitlbee_var_t;
	type system_dbusd_var_run_t;
	type bitlbee_t;
	type system_dbusd_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class dir { create search };
}

#============= bitlbee_t ==============

allow bitlbee_t bitlbee_var_t:dir create;
allow bitlbee_t system_dbusd_t:unix_stream_socket connectto;
allow bitlbee_t system_dbusd_var_run_t:dir search;
allow bitlbee_t system_dbusd_var_run_t:sock_file write;

Comment 3 Miroslav Grepl 2014-07-09 09:49:57 UTC
Yes, could you please clone this bug?

Comment 4 Robert Scheck 2014-07-09 09:52:00 UTC
In general yes, but from what I got from upstream we should better switch to
BitlBee forkdaemon mode. So let's wait till we are able to do that.

The libpurple is anyway problematic without forkdaemon (sorry, mixed them up)
so I will have to cause non-libpurple builds for Fedora - that makes the issue
disappearing for regular users again.

Comment 5 Fedora Update System 2014-07-14 20:21:37 UTC
bitlbee-3.2.2-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/FEDORA-2014-8126/bitlbee-3.2.2-1.fc19

Comment 6 Fedora Update System 2014-07-14 20:26:07 UTC
bitlbee-3.2.2-2.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/FEDORA-2014-8129/bitlbee-3.2.2-2.fc20

Comment 7 Fedora Update System 2014-07-17 04:27:11 UTC
Package bitlbee-3.2.2-2.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing bitlbee-3.2.2-2.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-8126/bitlbee-3.2.2-2.fc19
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2014-07-30 21:56:04 UTC
bitlbee-3.2.2-3.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-07-30 21:58:05 UTC
bitlbee-3.2.2-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.