Bug 633788 - SELinux verhindert /usr/libexec/telepathy-haze "name_bind" Zugriff .
Summary: SELinux verhindert /usr/libexec/telepathy-haze "name_bind" Zugriff .
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:262e42b759b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-14 12:27 UTC by Mirco Tischler
Modified: 2011-05-26 20:04 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-05-26 20:04:16 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Mirco Tischler 2010-09-14 12:27:03 UTC
Zusammenfassung:

SELinux verhindert /usr/libexec/telepathy-haze "name_bind" Zugriff .

Detaillierte Beschreibung:

SELinux verweigerte den von telepathy-haze angeforderten Zugriff. Da nicht davon
ausgegangen wird, dass dieser Zugriff von telepathy-haze benötigt wird,
signalisiert dies möglicherweise einen Einbruchsversuch. Es ist ausserdem
möglich, dass diese spezielle Version oder Konfiguration der Anwendung den
zusätzlichen Zugriff verursacht.

Zugriff erlauben:

Sie können ein lokales Richtlininenmodul generieren, um diesen Zugriff zu
erlauben siehe FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Bitte reichen Sie einen Fehlerbericht ein.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0
                              .c1023
Zielkontext                   system_u:object_r:sip_port_t:s0
Zielobjekte                   None [ tcp_socket ]
Quelle                        telepathy-haze
Quellpfad                     /usr/libexec/telepathy-haze
Port                          5061
Host                          (entfernt)
RPM-Pakete der Quelle         telepathy-haze-0.4.0-1.fc14
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.9.3-4.fc14
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Enforcing
Plugin-Name                   catchall
Rechnername                   (entfernt)
Plattform                     Linux (entfernt) 2.6.35.4-12.fc14.x86_64 #1
                              SMP Fri Aug 27 07:45:05 UTC 2010 x86_64 x86_64
Anzahl der Alarme             4
Zuerst gesehen                Di 14 Sep 2010 14:15:24 CEST
Zuletzt gesehen               Di 14 Sep 2010 14:15:24 CEST
Lokale ID                     df4d86b8-01d3-4f0e-8c1f-0219d2b49b2a
Zeilennummern                 

Raw-Audit-Meldungen           

node=(entfernt) type=AVC msg=audit(1284466524.415:37): avc:  denied  { name_bind } for  pid=2499 comm="telepathy-haze" src=5061 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sip_port_t:s0 tclass=tcp_socket

node=(entfernt) type=SYSCALL msg=audit(1284466524.415:37): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=22d1c90 a2=1c a3=7fff6b06615c items=0 ppid=1 pid=2499 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-haze" exe="/usr/libexec/telepathy-haze" subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  catchall,telepathy-haze,telepathy_msn_t,sip_port_t,tcp_socket,name_bind
audit2allow suggests:

#============= telepathy_msn_t ==============
allow telepathy_msn_t sip_port_t:tcp_socket name_bind;

Comment 1 Mirco Tischler 2010-09-14 12:43:06 UTC
I tried to set up a sip account in empathy but this selinux message was generated when connecting and the connection failed.
The bug information was generated by the sealert tool. Sorry it is in german. I don't know how to change that. The tool should probably generate it's bug reports in english by default.

Comment 2 Daniel Walsh 2010-09-14 18:11:47 UTC
We don't read the text.  I just look at the data at the bottom.

Why is telepath_msn_t trying to listen on the sip port?  Is this normal behaviour?

Comment 3 Dominick Grift 2010-09-14 18:44:06 UTC
What service are you connecting to? MSN? Sametime?

Comment 4 Dominick Grift 2010-09-14 18:46:28 UTC
.. and do you notice any loss in functionality?

Comment 5 Mirco Tischler 2010-09-14 19:08:16 UTC
As I wrote I'm trying to connect to a SIP service. I can't connect, I only get a "network error" message. I don't really know if telepathy's SIP functionality works though as this is the first time I'm trying.

Comment 6 Dominick Grift 2010-09-14 19:29:21 UTC
Hmm, as far as i know it should be using telepathy sofiasip for that.

I suspect you might be miss-configuring things

When i create a "New sip account" for talk.fedoraproject.org for example it uses telepathy-sofiasip connection manager and not telepathy-haze connection manager.

do you have telepathy-sofiasip installed?

Comment 7 Mirco Tischler 2010-09-14 19:30:57 UTC
Hah. I got the solution. telepathy-sofiasip, which provides the SIP functionality wasn't installed at all. Still I was able to create a SIP account in empathy. But without the right 'backend' empathy tried to connect using telepathy-haze.
When I install telepathy-sofiasip it works after recreating the account.

IMO services that aren't installed shouldn't be available to configure in empathy, or there should at least be an info what needs to be installed or else dumb users like me can easily get confused :)

Comment 8 Dominick Grift 2010-09-14 19:47:29 UTC
I guess another example of how SELinux prevents buggy programs to do things they should not do...

Comment 9 Daniel Walsh 2010-09-14 20:03:43 UTC
Should we change this bug to empathy then?

Comment 10 Dominick Grift 2010-09-14 20:07:31 UTC
Not sure, i am trying to get some feedback from #telepathy about this first, but i do not get any response so far..

to mt-ml: To do voice and video with selinux protected telepathy you also need to set the telepathy_network_connect boolean to true.

Comment 11 Dominick Grift 2010-09-15 07:47:54 UTC
09:33 < dgrift> is haze supposed to bind a tcp socket to the sip port when you create a sip
                account and sofiasip isnt installed?
09:34 < dgrift> should one be able to create a sip account at all when sofiasip isnt
                installed?
09:42 < sjoerd> dgrift: well if you turn on a simple account on haze then yes it should bind 
                the socket
09:43 < sjoerd> dgrift: whether you should or shouldn't be able to create a sip account with 
                tp-haze is debatable
09:43 < sjoerd> i thought we disabled it but apparently we didn't
09:43 < sjoerd> cassidy: ^
09:44 < dgrift> ok i will deny haze access to bind a tcp socket to sip port for now
09:45 < cassidy> hum no I don't think we did finally. I was planning to check which features 
                 are provided by haze's sip to see if it was worth it and then got distracted 
                 by a bees or something
09:45 < cassidy> I'll open a bug
09:45 < sjoerd> cassidy: you can send messages with haze sip and that's about it
09:45 < cassidy> sjoerd, does it support SIMPLE rosters ?
09:45 < sjoerd> i don't care, no server supports them in practise
09:46 < sjoerd> everyone who wants to do sip with empathy gets confused by it as various 
                distros do ship haze but not -sofiasip by default
09:46 < sjoerd> and then they make sip accounts that can't make calls
09:46 < sjoerd> which is well the whole point of sip :)
09:47 < cassidy> yeah probably. I'm not enough of a SIP person to know for sure but I guess 
                 you're right

Comment 12 Fedora Admin XMLRPC Client 2010-11-08 21:52:19 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 13 Fedora Admin XMLRPC Client 2010-11-08 21:55:15 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Comment 14 Fedora Admin XMLRPC Client 2010-11-08 21:55:52 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.


Note You need to log in before you can comment on or make changes to this bug.