bitlbee-3.6-11.fc39.x86_64 selinux-policy-38.20-1.fc39.noarch selinux-policy-devel-38.20-1.fc39.noarch selinux-policy-mls-38.20-1.fc39.noarch selinux-policy-targeted-38.20-1.fc39.noarch Detailed SELinux denials will be attached. Reproducible: Always Steps to Reproduce: 1. get a Fedora rawhide machine (targeted policy is active) 2. start the bitlbee service 3. nc -v -w 10 127.0.0.1 6667 ctrl+D 4. search for SELinux denials Actual Results: When the SELinux denials are processed by audit2allow, the following output is shown: allow bitlbee_t bitlbee_var_t:file map; allow bitlbee_t bitlbee_var_t:lnk_file create; allow bitlbee_t dri_device_t:chr_file getattr; allow bitlbee_t self:netlink_kobject_uevent_socket create; allow bitlbee_t sysfs_t:dir read; allow bitlbee_t sysfs_t:file read; allow bitlbee_t sysfs_t:lnk_file read; allow bitlbee_t tmpfs_t:file write; Expected Results: No SELinux denials
When the bitlbee is started for the first time, the following SELinux denial appears: ---- type=PROCTITLE msg=audit(07/12/2023 09:14:46.657:845) : proctitle=/usr/sbin/bitlbee -F -n type=PATH msg=audit(07/12/2023 09:14:46.657:845) : item=0 name=/var/lib/bitlbee/ inode=278675 dev=fc:02 mode=dir,750 ouid=bitlbee ogid=bitlbee rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(07/12/2023 09:14:46.657:845) : cwd=/ type=SYSCALL msg=audit(07/12/2023 09:14:46.657:845) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55f41fe27160 a1=W_OK a2=0x55f41fe325f0 a3=0xa0 items=1 ppid=1 pid=10224 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(07/12/2023 09:14:46.657:845) : avc: denied { dac_override } for pid=10224 comm=bitlbee capability=dac_override scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability permissive=0 ---- The following commands can be used to prevent the SELinux denial from appearing again: # chmod 770 /var/lib/bitlbee # chown bitlbee:root /var/lib/bitlbee
This is not the final policy, but makes the service working: # cat local_bitlbee.cil (allow bitlbee_t bin_t (file (execute execute_no_trans map))) (allow bitlbee_t bitlbee_var_t (lnk_file (create read))) (allow bitlbee_t bitlbee_var_t (file (map))) (allow bitlbee_t dri_device_t (chr_file (getattr))) (allow bitlbee_t fs_t (filesystem (getattr))) (allow bitlbee_t bitlbee_t (netlink_kobject_uevent_socket (bind create getattr setopt))) (allow bitlbee_t sysfs_t (dir (read))) (allow bitlbee_t sysfs_t (file (getattr open read))) (allow bitlbee_t sysfs_t (lnk_file (read))) (allow bitlbee_t tmpfs_t (file (getattr map read write))) Additionally, I used this service drop-in: [Service] User=bitlbee Group=bitlbee I am going to clone this bz to make the change in bitlbee.
FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3
FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.