Bug 435723 - SELinux is preventing bitlbee (bitlbee_t) "read" to ./localtime (locale_t).
SELinux is preventing bitlbee (bitlbee_t) "read" to ./localtime (locale_t).
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: bitlbee (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Robert Scheck
Fedora Extras Quality Assurance
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-03 10:41 EST by Matěj Cepl
Modified: 2008-03-03 12:57 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-03 11:05:28 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Matěj Cepl 2008-03-03 10:41:41 EST
Description of problem:

Souhrn:

SELinux is preventing bitlbee (bitlbee_t) "read" to ./localtime (locale_t).

Podrobný popis:

SELinux denied access requested by bitlbee. It is not expected that this access
is required by bitlbee and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./localtime,

restorecon -v './localtime'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                system_u:system_r:bitlbee_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:locale_t
Objekty cíle                 ./localtime [ file ]
Zdroj                         bitlbee
Cesta zdroje                  /usr/sbin/bitlbee
Port                          <Neznámé>
Počítač                    hubmaier.ceplovi.cz
RPM balíčky zdroje          bitlbee-1.1dev-1.bzr290.1.fc9
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.3.1-9.fc9
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            hubmaier.ceplovi.cz
Platforma                     Linux hubmaier.ceplovi.cz 2.6.25-0.81.rc3.git2.fc9
                              #1 SMP Sun Mar 2 01:04:02 EST 2008 x86_64 x86_64
Počet uporoznění           12
Poprvé viděno               Po 3. březen 2008, 16:03:16 CET
Naposledy viděno             Po 3. březen 2008, 16:24:15 CET
Místní ID                   a77b174e-3dc5-479a-985b-c04232ddbc3f
Čísla řádků              

Původní zprávy auditu      

host=hubmaier.ceplovi.cz type=AVC msg=audit(1204557855.170:493): avc:  denied  {
read } for  pid=17482 comm="bitlbee" name="localtime" dev=dm-1 ino=949395
scontext=system_u:system_r:bitlbee_t:s0-s0:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file

host=hubmaier.ceplovi.cz type=SYSCALL msg=audit(1204557855.170:493):
arch=c000003e syscall=2 success=no exit=-13 a0=3d3b3386fd a1=0 a2=1b6
a3=7ff6e0327780 items=0 ppid=2497 pid=17482 auid=4294967295 uid=100 gid=106
euid=100 suid=100 fsuid=100 egid=106 sgid=106 fsgid=106 tty=(none)
ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee"
subj=system_u:system_r:bitlbee_t:s0-s0:c0.c1023 key=(null)

Version-Release number of selected component (if applicable):
bitlbee-1.1dev-1.bzr290.1.fc9.x86_64
selinux-policy-targeted-3.3.1-9.fc9.noarch
Comment 1 Daniel Walsh 2008-03-03 11:05:28 EST
Fixed in selinux-policy-3.3.1-10.fc9
Comment 2 Robert Scheck 2008-03-03 11:07:15 EST
bitlbee-1.1dev-1.bzr290.1.fc9 is not in Rawhide thus unsupported.
Comment 3 Robert Scheck 2008-03-03 11:07:55 EST
1.1 is unstable, it can change its behaviour at any time. Does the same thing 
appear with 1.0 branch as well?
Comment 4 Daniel Walsh 2008-03-03 12:57:59 EST
Well this access is allowed in almost every confined domain, so whether or not
the current release needs it, I am sure future releases will.

Note You need to log in before you can comment on or make changes to this bug.