Bug 474243 - (staff_u) SELinux is preventing telepathy-sofia (staff_t) "create" staff_t.
Summary: (staff_u) SELinux is preventing telepathy-sofia (staff_t) "create" staff_t.
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: telepathy-sofiasip
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Brian Pepple
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 494985
TreeView+ depends on / blocked
 
Reported: 2008-12-02 22:41 UTC by Matěj Cepl
Modified: 2018-04-11 08:25 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-15 21:59:34 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Matěj Cepl 2008-12-02 22:41:31 UTC
Souhrn:

SELinux is preventing telepathy-sofia (staff_t) "create" staff_t.

Podrobný popis:

[SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena
kvůli uvolněnému režimu.]

SELinux denied access requested by telepathy-sofia. It is not expected that this
access is required by telepathy-sofia and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:SystemLow-SystemHigh
Kontext cíle                 staff_u:staff_r:staff_t:SystemLow-SystemHigh
Objekty cíle                 None [ rawip_socket ]
Zdroj                         telepathy-sofia
Cesta zdroje                  /usr/libexec/telepathy-sofiasip
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          telepathy-sofiasip-0.5.10-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-26.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           10
Poprvé viděno               Út 2. prosinec 2008, 16:22:24 CET
Naposledy viděno             Út 2. prosinec 2008, 23:38:39 CET
Místní ID                   8611d80f-46c0-489e-890c-daedb9e9173f
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228257519.682:5923): avc:  denied  { create } for  pid=25659 comm="telepathy-sofia" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=rawip_socket

node=viklef type=SYSCALL msg=audit(1228257519.682:5923): arch=40000003 syscall=102 success=yes exit=10 a0=1 a1=bffac080 a2=87dd88 a3=96b7618 items=0 ppid=1 pid=25659 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="telepathy-sofia" exe="/usr/libexec/telepathy-sofiasip" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)

Comment 1 Matěj Cepl 2008-12-02 22:44:26 UTC
ausearch -m AVC  |grep sofia |audit2allow -M staffuSofiaSip created for me this module, but that seems to me like way to wide, isn't it?

module staffuSofiaSip 1.0;

require {
        type staff_t;
        type node_t;
        type compat_ipv4_node_t;
        type lo_node_t;
        class rawip_socket { getattr setopt bind create node_bind listen };
}

#============= staff_t ==============
allow staff_t compat_ipv4_node_t:rawip_socket node_bind;
allow staff_t lo_node_t:rawip_socket node_bind;
allow staff_t node_t:rawip_socket node_bind;
allow staff_t self:rawip_socket { getattr bind create setopt listen };

Comment 3 Daniel Walsh 2008-12-03 13:40:34 UTC
I am not sure we want to give the staff user the ability to use raw packets,  I think a better solution would be to label this app like ping.

If you chcon -t ping_exec_t /usr/libexec/telepathy-sofiasip


Does Telepath work?

Comment 4 Matěj Cepl 2008-12-03 18:01:45 UTC
The rest of Telepathy works OK, but of course marking /usr/libexec/telepathy-sofiasip as ping_exec didn't help:


Souhrn:

SELinux is preventing dbus-daemon (staff_dbusd_t) "execute" to
./telepathy-sofiasip (ping_exec_t).

Podrobný popis:

SELinux denied access requested by dbus-daemon. It is not expected that this
access is required by dbus-daemon and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for ./telepathy-sofiasip,

restorecon -v './telepathy-sofiasip'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_dbusd_t:SystemLow-SystemHigh
Kontext cíle                 system_u:object_r:ping_exec_t
Objekty cíle                 ./telepathy-sofiasip [ file ]
Zdroj                         dbus-daemon
Cesta zdroje                  /bin/dbus-daemon
Port                          <Neznámé>
Počítač                    viklef
RPM balíčky zdroje          dbus-1.2.4-1.fc10
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.5.13-26.fc10
Selinux povolen               True
Typ politiky                  targeted
MLS povoleno                  True
Vynucovací režim            Enforcing
Název zásuvného modulu     catchall_file
Název počítače            viklef
Platforma                     Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov
                              18 20:12:41 EST 2008 i686 i686
Počet upozornění           1
Poprvé viděno               St 3. prosinec 2008, 18:56:53 CET
Naposledy viděno             St 3. prosinec 2008, 18:56:53 CET
Místní ID                   e617f958-7d7c-436a-91f8-d5d380fec7c0
Čísla řádků              

Původní zprávy auditu      

node=viklef type=AVC msg=audit(1228327013.573:2355): avc:  denied  { execute } for  pid=9536 comm="dbus-daemon" name="telepathy-sofiasip" dev=dm-0 ino=5021231 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file

node=viklef type=SYSCALL msg=audit(1228327013.573:2355): arch=40000003 syscall=11 success=no exit=-13 a0=ba0752b0 a1=ba081c20 a2=ba076180 a3=ba06dfc8 items=0 ppid=9535 pid=9536 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 key=(null)

Comment 5 Daniel Walsh 2008-12-03 22:22:44 UTC
Ok then this telepathy-sofiasip needs policy written for it.

Comment 6 Matěj Cepl 2008-12-03 23:50:06 UTC
Given that this should be default IM technology in Fedora 11, it really should. 

Telepathy (http://telepathy.freedesktop.org) is a set of components (called "connection manager" in their lingo) to which you connect client (e.g., Empathy, http://live.gnome.org/Empathy) and each connection manager provides some IM service (or some other background tasks). So, we have:

* telepathy-gabble: A Jabber/XMPP connection manager that handles single- and multi-user chats and voice/video calls.
* telepathy-salut: A link-local XMPP connection manager (XEP-0174).
* telepathy-idle: A full-featured IRC connection manager.
* telepathy-sofiasip: A SIP connection manager based around the Sofia-SIP library.

I think that from these only the first and the last could present a problem, because they contain VoIP technology (XMPP/Jingle v. SIP respectively). I guess that some stuff from confining Ekiga could be used, right?

Do we have some template or something for D-Bus run services (all these components are connected together via D-Bus) like we have for daemons and inetd ones?

Comment 7 Daniel Walsh 2008-12-04 13:11:52 UTC
I though raw socket access required a setuid application?

Comment 8 Matěj Cepl 2009-10-15 21:59:34 UTC
I believe this has been fixed at least in F12/Rawhide ... I cannot reproduce it here now with telepathy-sofiasip-0.5.18-1.fc12.x86_64 and selinux-policy-3.6.32-25.fc12.noarch.


Note You need to log in before you can comment on or make changes to this bug.