Zusammenfassung: SELinux verhindert /usr/libexec/telepathy-haze "name_bind" Zugriff . Detaillierte Beschreibung: SELinux verweigerte den von telepathy-haze angeforderten Zugriff. Da nicht davon ausgegangen wird, dass dieser Zugriff von telepathy-haze benötigt wird, signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen Zugriff verursacht. Zugriff erlauben: Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Bitte reichen Sie einen Fehlerbericht ein. Zusätzliche Informationen: Quellkontext unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0 .c1023 Zielkontext system_u:object_r:sip_port_t:s0 Zielobjekte None [ tcp_socket ] Quelle telepathy-haze Quellpfad /usr/libexec/telepathy-haze Port 5061 Host (entfernt) RPM-Pakete der Quelle telepathy-haze-0.4.0-1.fc14 RPM-Pakete des Ziels Richtlinien-RPM selinux-policy-3.9.3-4.fc14 SELinux aktiviert True Richtlinientyp targeted Enforcing-Modus Enforcing Plugin-Name catchall Rechnername (entfernt) Plattform Linux (entfernt) 2.6.35.4-12.fc14.x86_64 #1 SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64 Anzahl der Alarme 4 Zuerst gesehen Di 14 Sep 2010 14:15:24 CEST Zuletzt gesehen Di 14 Sep 2010 14:15:24 CEST Lokale ID df4d86b8-01d3-4f0e-8c1f-0219d2b49b2a Zeilennummern Raw-Audit-Meldungen node=(entfernt) type=AVC msg=audit(1284466524.415:37): avc: denied { name_bind } for pid=2499 comm="telepathy-haze" src=5061 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sip_port_t:s0 tclass=tcp_socket node=(entfernt) type=SYSCALL msg=audit(1284466524.415:37): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=22d1c90 a2=1c a3=7fff6b06615c items=0 ppid=1 pid=2499 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-haze" exe="/usr/libexec/telepathy-haze" subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,telepathy-haze,telepathy_msn_t,sip_port_t,tcp_socket,name_bind audit2allow suggests: #============= telepathy_msn_t ============== allow telepathy_msn_t sip_port_t:tcp_socket name_bind;
I tried to set up a sip account in empathy but this selinux message was generated when connecting and the connection failed. The bug information was generated by the sealert tool. Sorry it is in german. I don't know how to change that. The tool should probably generate it's bug reports in english by default.
We don't read the text. I just look at the data at the bottom. Why is telepath_msn_t trying to listen on the sip port? Is this normal behaviour?
What service are you connecting to? MSN? Sametime?
.. and do you notice any loss in functionality?
As I wrote I'm trying to connect to a SIP service. I can't connect, I only get a "network error" message. I don't really know if telepathy's SIP functionality works though as this is the first time I'm trying.
Hmm, as far as i know it should be using telepathy sofiasip for that. I suspect you might be miss-configuring things When i create a "New sip account" for talk.fedoraproject.org for example it uses telepathy-sofiasip connection manager and not telepathy-haze connection manager. do you have telepathy-sofiasip installed?
Hah. I got the solution. telepathy-sofiasip, which provides the SIP functionality wasn't installed at all. Still I was able to create a SIP account in empathy. But without the right 'backend' empathy tried to connect using telepathy-haze. When I install telepathy-sofiasip it works after recreating the account. IMO services that aren't installed shouldn't be available to configure in empathy, or there should at least be an info what needs to be installed or else dumb users like me can easily get confused :)
I guess another example of how SELinux prevents buggy programs to do things they should not do...
Should we change this bug to empathy then?
Not sure, i am trying to get some feedback from #telepathy about this first, but i do not get any response so far.. to mt-ml: To do voice and video with selinux protected telepathy you also need to set the telepathy_network_connect boolean to true.
09:33 < dgrift> is haze supposed to bind a tcp socket to the sip port when you create a sip account and sofiasip isnt installed? 09:34 < dgrift> should one be able to create a sip account at all when sofiasip isnt installed? 09:42 < sjoerd> dgrift: well if you turn on a simple account on haze then yes it should bind the socket 09:43 < sjoerd> dgrift: whether you should or shouldn't be able to create a sip account with tp-haze is debatable 09:43 < sjoerd> i thought we disabled it but apparently we didn't 09:43 < sjoerd> cassidy: ^ 09:44 < dgrift> ok i will deny haze access to bind a tcp socket to sip port for now 09:45 < cassidy> hum no I don't think we did finally. I was planning to check which features are provided by haze's sip to see if it was worth it and then got distracted by a bees or something 09:45 < cassidy> I'll open a bug 09:45 < sjoerd> cassidy: you can send messages with haze sip and that's about it 09:45 < cassidy> sjoerd, does it support SIMPLE rosters ? 09:45 < sjoerd> i don't care, no server supports them in practise 09:46 < sjoerd> everyone who wants to do sip with empathy gets confused by it as various distros do ship haze but not -sofiasip by default 09:46 < sjoerd> and then they make sip accounts that can't make calls 09:46 < sjoerd> which is well the whole point of sip :) 09:47 < cassidy> yeah probably. I'm not enough of a SIP person to know for sure but I guess you're right
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.