2222222 – the bitlbee service triggers SELinux denials when a client connects

Bug 2222222 - the bitlbee service triggers SELinux denials when a client connects

Summary: the bitlbee service triggers SELinux denials when a client connects

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2222434
TreeView+	depends on / blocked

Reported:	2023-07-12 09:54 UTC by Milos Malik
Modified:	2023-08-01 02:49 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-38.22-1.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2222434 (view as bug list)
Environment:
Last Closed:	2023-08-01 02:49:13 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1779	0	None	open	Update bitlbee policy	2023-07-12 20:02:54 UTC

Description Milos Malik 2023-07-12 09:54:05 UTC

bitlbee-3.6-11.fc39.x86_64
selinux-policy-38.20-1.fc39.noarch
selinux-policy-devel-38.20-1.fc39.noarch
selinux-policy-mls-38.20-1.fc39.noarch
selinux-policy-targeted-38.20-1.fc39.noarch

Detailed SELinux denials will be attached.

Reproducible: Always

Steps to Reproduce:
1. get a Fedora rawhide machine (targeted policy is active)
2. start the bitlbee service
3. nc -v -w 10 127.0.0.1 6667
ctrl+D
4. search for SELinux denials

Actual Results:  
When the SELinux denials are processed by audit2allow, the following output is shown:

allow bitlbee_t bitlbee_var_t:file map;
allow bitlbee_t bitlbee_var_t:lnk_file create;
allow bitlbee_t dri_device_t:chr_file getattr;
allow bitlbee_t self:netlink_kobject_uevent_socket create;
allow bitlbee_t sysfs_t:dir read;
allow bitlbee_t sysfs_t:file read;
allow bitlbee_t sysfs_t:lnk_file read;
allow bitlbee_t tmpfs_t:file write;


Expected Results:  
No SELinux denials

Comment 3 Milos Malik 2023-07-12 13:24:18 UTC

When the bitlbee is started for the first time, the following SELinux denial appears:
----
type=PROCTITLE msg=audit(07/12/2023 09:14:46.657:845) : proctitle=/usr/sbin/bitlbee -F -n 
type=PATH msg=audit(07/12/2023 09:14:46.657:845) : item=0 name=/var/lib/bitlbee/ inode=278675 dev=fc:02 mode=dir,750 ouid=bitlbee ogid=bitlbee rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(07/12/2023 09:14:46.657:845) : cwd=/ 
type=SYSCALL msg=audit(07/12/2023 09:14:46.657:845) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x55f41fe27160 a1=W_OK a2=0x55f41fe325f0 a3=0xa0 items=1 ppid=1 pid=10224 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bitlbee exe=/usr/sbin/bitlbee subj=system_u:system_r:bitlbee_t:s0 key=(null) 
type=AVC msg=audit(07/12/2023 09:14:46.657:845) : avc:  denied  { dac_override } for  pid=10224 comm=bitlbee capability=dac_override  scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability permissive=0 
----

The following commands can be used to prevent the SELinux denial from appearing again:

# chmod 770 /var/lib/bitlbee
# chown bitlbee:root /var/lib/bitlbee

Comment 4 Zdenek Pytela 2023-07-12 17:51:53 UTC

This is not the final policy, but makes the service working:

# cat local_bitlbee.cil
(allow bitlbee_t bin_t (file (execute execute_no_trans map)))
(allow bitlbee_t bitlbee_var_t (lnk_file (create read)))
(allow bitlbee_t bitlbee_var_t (file (map)))
(allow bitlbee_t dri_device_t (chr_file (getattr)))
(allow bitlbee_t fs_t (filesystem (getattr)))
(allow bitlbee_t bitlbee_t (netlink_kobject_uevent_socket (bind create getattr setopt)))
(allow bitlbee_t sysfs_t (dir (read)))
(allow bitlbee_t sysfs_t (file (getattr open read)))
(allow bitlbee_t sysfs_t (lnk_file (read)))
(allow bitlbee_t tmpfs_t (file (getattr map read write)))

Additionally, I used this service drop-in:
[Service]
User=bitlbee
Group=bitlbee

I am going to clone this bz to make the change in bitlbee.

Comment 5 Fedora Update System 2023-07-25 17:23:25 UTC

FEDORA-2023-0b46b767d3 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

Comment 6 Fedora Update System 2023-07-26 02:09:45 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-0b46b767d3`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-0b46b767d3

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-08-01 02:49:13 UTC

FEDORA-2023-0b46b767d3 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.