Souhrn: SELinux is preventing /usr/libexec/telepathy-sofiasip "create" access . Podrobný popis: [SELinux je v tolerantním režimu. Přístup byl povolen.] SELinux denied access requested by telepathy-sofia. It is not expected that this access is required by telepathy-sofia and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Povolení přístupu: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Další informace: Kontext zdroje staff_u:staff_r:staff_t:s0-s0:c0.c1023 Kontext cíle staff_u:staff_r:staff_t:s0-s0:c0.c1023 Objekty cíle None [ rawip_socket ] Zdroj telepathy-sofia Cesta zdroje /usr/libexec/telepathy-sofiasip Port <Neznámé> Počítač (removed) RPM balíčky zdroje telepathy-sofiasip-0.6.2-1.el6 RPM balíčky cíle RPM politiky selinux-policy-3.7.17-5.el6 Selinux povolen True Typ politiky targeted Vynucovací režim Permissive Název zásuvného modulu catchall Název počítače (removed) Platforma Linux (removed) 2.6.32-19.el6.x86_64 #1 SMP Tue Mar 9 17:48:46 EST 2010 x86_64 x86_64 Počet upozornění 2 Poprvé viděno Čt 8. duben 2010, 19:08:33 CEST Naposledy viděno Čt 8. duben 2010, 19:09:29 CEST Místní ID fb54a7c5-8186-486c-b513-be1c669af016 Čísla řádků Původní zprávy auditu node=(removed) type=AVC msg=audit(1270746569.831:8393): avc: denied { create } for pid=22652 comm="telepathy-sofia" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=rawip_socket node=(removed) type=SYSCALL msg=audit(1270746569.831:8393): arch=c000003e syscall=41 success=yes exit=45 a0=2 a1=1 a2=84 a3=100 items=0 ppid=22640 pid=22652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sofia" exe="/usr/libexec/telepathy-sofiasip" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,telepathy-sofia,staff_t,staff_t,rawip_socket,create audit2allow suggests: #============= staff_t ============== allow staff_t self:rawip_socket create;
Is this package setuid? Not sure what this package does but we probably want a context for it.
Created attachment 405391 [details] /var/log/audit/audit.log It isn't, it is a service run via dbus: johanka:~$ ls -lh /usr/libexec/telepathy-sofiasip -rwxr-xr-x. 1 root root 179K 8. dub 18.51 /usr/libexec/telepathy-sofiasip johanka:~$ It is SIP (VoIP) service for the Telepathy telecommunication framework for gnome (the user interface for it is Empathy).
Miroslav can work with Matej to create a policy for this. First get it working with unconfined_t
Actually it works for unconfined_t because session dbus is running under unconfined_t but under staff_dbusd_t for staff role.
I thought opening a raw socket required a capability. If yes then /usr/libexec/telepathy-sofiasip requires a policy to allow confined users to access this capability.
Dan, I have sent you a patch for F13. The policy was also tested by Matej.
Fixed in selinux-policy-3.7.18-2.fc13.noarch
selinux-policy-3.7.19-2.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.