Souhrn: SELinux is preventing telepathy-sofia (staff_t) "create" staff_t. Podrobný popis: [SELinux je v uvolněném režimu, operace by byla odmítnuta, ale byla povolena kvůli uvolněnému režimu.] SELinux denied access requested by telepathy-sofia. It is not expected that this access is required by telepathy-sofia and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_t:SystemLow-SystemHigh Kontext cíle staff_u:staff_r:staff_t:SystemLow-SystemHigh Objekty cíle None [ rawip_socket ] Zdroj telepathy-sofia Cesta zdroje /usr/libexec/telepathy-sofiasip Port <Neznámé> Počítač viklef RPM balíčky zdroje telepathy-sofiasip-0.5.10-1.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-26.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 10 Poprvé viděno Út 2. prosinec 2008, 16:22:24 CET Naposledy viděno Út 2. prosinec 2008, 23:38:39 CET Místní ID 8611d80f-46c0-489e-890c-daedb9e9173f Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1228257519.682:5923): avc: denied { create } for pid=25659 comm="telepathy-sofia" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=rawip_socket node=viklef type=SYSCALL msg=audit(1228257519.682:5923): arch=40000003 syscall=102 success=yes exit=10 a0=1 a1=bffac080 a2=87dd88 a3=96b7618 items=0 ppid=1 pid=25659 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4 comm="telepathy-sofia" exe="/usr/libexec/telepathy-sofiasip" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
ausearch -m AVC |grep sofia |audit2allow -M staffuSofiaSip created for me this module, but that seems to me like way to wide, isn't it? module staffuSofiaSip 1.0; require { type staff_t; type node_t; type compat_ipv4_node_t; type lo_node_t; class rawip_socket { getattr setopt bind create node_bind listen }; } #============= staff_t ============== allow staff_t compat_ipv4_node_t:rawip_socket node_bind; allow staff_t lo_node_t:rawip_socket node_bind; allow staff_t node_t:rawip_socket node_bind; allow staff_t self:rawip_socket { getattr bind create setopt listen };
I am not sure we want to give the staff user the ability to use raw packets, I think a better solution would be to label this app like ping. If you chcon -t ping_exec_t /usr/libexec/telepathy-sofiasip Does Telepath work?
The rest of Telepathy works OK, but of course marking /usr/libexec/telepathy-sofiasip as ping_exec didn't help: Souhrn: SELinux is preventing dbus-daemon (staff_dbusd_t) "execute" to ./telepathy-sofiasip (ping_exec_t). Podrobný popis: SELinux denied access requested by dbus-daemon. It is not expected that this access is required by dbus-daemon and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for ./telepathy-sofiasip, restorecon -v './telepathy-sofiasip' If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Další informace: Kontext zdroje staff_u:staff_r:staff_dbusd_t:SystemLow-SystemHigh Kontext cíle system_u:object_r:ping_exec_t Objekty cíle ./telepathy-sofiasip [ file ] Zdroj dbus-daemon Cesta zdroje /bin/dbus-daemon Port <Neznámé> Počítač viklef RPM balíčky zdroje dbus-1.2.4-1.fc10 RPM balíčky cíle RPM politiky selinux-policy-3.5.13-26.fc10 Selinux povolen True Typ politiky targeted MLS povoleno True Vynucovací režim Enforcing Název zásuvného modulu catchall_file Název počítače viklef Platforma Linux viklef 2.6.27.5-120.fc10.i686 #1 SMP Tue Nov 18 20:12:41 EST 2008 i686 i686 Počet upozornění 1 Poprvé viděno St 3. prosinec 2008, 18:56:53 CET Naposledy viděno St 3. prosinec 2008, 18:56:53 CET Místní ID e617f958-7d7c-436a-91f8-d5d380fec7c0 Čísla řádků Původní zprávy auditu node=viklef type=AVC msg=audit(1228327013.573:2355): avc: denied { execute } for pid=9536 comm="dbus-daemon" name="telepathy-sofiasip" dev=dm-0 ino=5021231 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ping_exec_t:s0 tclass=file node=viklef type=SYSCALL msg=audit(1228327013.573:2355): arch=40000003 syscall=11 success=no exit=-13 a0=ba0752b0 a1=ba081c20 a2=ba076180 a3=ba06dfc8 items=0 ppid=9535 pid=9536 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="dbus-daemon" exe="/bin/dbus-daemon" subj=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 key=(null)
Ok then this telepathy-sofiasip needs policy written for it.
Given that this should be default IM technology in Fedora 11, it really should. Telepathy (http://telepathy.freedesktop.org) is a set of components (called "connection manager" in their lingo) to which you connect client (e.g., Empathy, http://live.gnome.org/Empathy) and each connection manager provides some IM service (or some other background tasks). So, we have: * telepathy-gabble: A Jabber/XMPP connection manager that handles single- and multi-user chats and voice/video calls. * telepathy-salut: A link-local XMPP connection manager (XEP-0174). * telepathy-idle: A full-featured IRC connection manager. * telepathy-sofiasip: A SIP connection manager based around the Sofia-SIP library. I think that from these only the first and the last could present a problem, because they contain VoIP technology (XMPP/Jingle v. SIP respectively). I guess that some stuff from confining Ekiga could be used, right? Do we have some template or something for D-Bus run services (all these components are connected together via D-Bus) like we have for daemons and inetd ones?
I though raw socket access required a setuid application?
I believe this has been fixed at least in F12/Rawhide ... I cannot reproduce it here now with telepathy-sofiasip-0.5.18-1.fc12.x86_64 and selinux-policy-3.6.32-25.fc12.noarch.