Bug 580684 - SELinux is preventing /usr/libexec/telepathy-sofiasip "create" access .
Summary: SELinux is preventing /usr/libexec/telepathy-sofiasip "create" access .
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:3775cbf3f0d...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-08 19:01 UTC by Matěj Cepl
Modified: 2018-04-11 12:58 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.7.19-2.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-04-21 21:59:54 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
/var/log/audit/audit.log (2.42 MB, text/plain)
2010-04-08 19:49 UTC, Matěj Cepl
no flags Details

Description Matěj Cepl 2010-04-08 19:01:38 UTC
Souhrn:

SELinux is preventing /usr/libexec/telepathy-sofiasip "create" access .

Podrobný popis:

[SELinux je v tolerantním režimu. Přístup byl povolen.]

SELinux denied access requested by telepathy-sofia. It is not expected that this
access is required by telepathy-sofia and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Povolení přístupu:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Další informace:

Kontext zdroje                staff_u:staff_r:staff_t:s0-s0:c0.c1023
Kontext cíle                 staff_u:staff_r:staff_t:s0-s0:c0.c1023
Objekty cíle                 None [ rawip_socket ]
Zdroj                         telepathy-sofia
Cesta zdroje                  /usr/libexec/telepathy-sofiasip
Port                          <Neznámé>
Počítač                    (removed)
RPM balíčky zdroje          telepathy-sofiasip-0.6.2-1.el6
RPM balíčky cíle           
RPM politiky                  selinux-policy-3.7.17-5.el6
Selinux povolen               True
Typ politiky                  targeted
Vynucovací režim            Permissive
Název zásuvného modulu     catchall
Název počítače            (removed)
Platforma                     Linux (removed) 2.6.32-19.el6.x86_64 #1
                              SMP Tue Mar 9 17:48:46 EST 2010 x86_64 x86_64
Počet upozornění           2
Poprvé viděno               Čt 8. duben 2010, 19:08:33 CEST
Naposledy viděno             Čt 8. duben 2010, 19:09:29 CEST
Místní ID                   fb54a7c5-8186-486c-b513-be1c669af016
Čísla řádků              

Původní zprávy auditu      

node=(removed) type=AVC msg=audit(1270746569.831:8393): avc:  denied  { create } for  pid=22652 comm="telepathy-sofia" scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=rawip_socket

node=(removed) type=SYSCALL msg=audit(1270746569.831:8393): arch=c000003e syscall=41 success=yes exit=45 a0=2 a1=1 a2=84 a3=100 items=0 ppid=22640 pid=22652 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sofia" exe="/usr/libexec/telepathy-sofiasip" subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,telepathy-sofia,staff_t,staff_t,rawip_socket,create
audit2allow suggests:

#============= staff_t ==============
allow staff_t self:rawip_socket create;

Comment 2 Daniel Walsh 2010-04-08 19:36:11 UTC
Is this package setuid?  Not sure what this package does but we probably want a context for it.

Comment 3 Matěj Cepl 2010-04-08 19:49:41 UTC
Created attachment 405391 [details]
/var/log/audit/audit.log

It isn't, it is a service run via dbus:

johanka:~$ ls -lh /usr/libexec/telepathy-sofiasip 
-rwxr-xr-x. 1 root root 179K  8. dub 18.51 /usr/libexec/telepathy-sofiasip
johanka:~$ 

It is SIP (VoIP) service for the Telepathy telecommunication framework for gnome (the user interface for it is Empathy).

Comment 4 Daniel Walsh 2010-04-08 20:03:21 UTC
Miroslav can work with Matej to create a policy for this.

First get it working with unconfined_t

Comment 5 Miroslav Grepl 2010-04-09 12:20:27 UTC
Actually it works for unconfined_t because session dbus is running under unconfined_t but under staff_dbusd_t for staff role.

Comment 6 Daniel Walsh 2010-04-11 11:22:38 UTC
I thought opening a raw socket required a capability.   If yes then /usr/libexec/telepathy-sofiasip requires a policy to allow confined users to access this capability.

Comment 7 Miroslav Grepl 2010-04-12 16:24:04 UTC
Dan,
I have sent you a patch for F13. The policy was also tested by Matej.

Comment 8 Daniel Walsh 2010-04-12 17:30:28 UTC
Fixed in selinux-policy-3.7.18-2.fc13.noarch

Comment 9 Fedora Update System 2010-04-19 02:40:07 UTC
selinux-policy-3.7.19-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13

Comment 10 Fedora Update System 2010-04-20 13:24:23 UTC
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-2.fc13

Comment 11 Fedora Update System 2010-04-21 21:58:25 UTC
selinux-policy-3.7.19-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.