Bug 637339 - empathy 2.31.90-2 blocked by SELinux
empathy 2.31.90-2 blocked by SELinux
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: empathy (Show other bugs)
14
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Brian Pepple
Fedora Extras Quality Assurance
https://fedoraproject.org/wiki/Common...
: CommonBugs
Depends On:
Blocks: F14Blocker/F14FinalBlocker
  Show dependency treegraph
 
Reported: 2010-09-24 21:28 EDT by John Watzke
Modified: 2010-10-06 21:24 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-10-06 21:24:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Watzke 2010-09-24 21:28:59 EDT
Description of problem:
Cannot connect to yahoo using empathy

Version-Release number of selected component (if applicable):
empathy-2.31.90-2.fc14.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Start empathy
2. Try to connect to a Yahoo account (or probably any account)
3. Get connection error
  
Actual results:
Seems to be blocked by SELinux

Expected results:
Connect to yahoo

Additional info:

Here's some debug info thanks to fenris02:

type=AVC msg=audit(1285377244.752:78): avc:  denied  { read } for  pid=6314 comm="telepathy-haze" name="exe" dev=proc ino=8648 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


===============

If I execute: "setenforce 0" I can connect.
Comment 1 John Watzke 2010-09-24 21:33:45 EDT
BTW, I think the AVC audit message says MSN because I had tried the AIM client first.
Comment 2 John Watzke 2010-09-24 21:50:10 EDT
Additional message:

type=AVC msg=audit(1285377925.037:93): avc:  denied  { name_connect } for  pid=6537 comm="telepathy-haze" dest=5050 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 3 Dominick Grift 2010-09-25 11:07:02 EDT
I commit the fix for connecting to tcp:5050.

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=e66aa74b4a5d36a49d1e35c7ee25a881e8ea0f3b

The issue where haze wants to read /proc/1/exe is under investigation (appears to be a bug in libpurple according to the folks at #telepathy)
Comment 4 Daniel Walsh 2010-09-26 06:46:00 EDT
Fixed in selinux-policy-3.9.5-6.fc14
Comment 5 Adam Williamson 2010-10-01 13:02:22 EDT
This was discussed at the 2010-10-01 blocker review meeting. We accepted it as a blocker under the criterion "All applications listed under the Applications menu must withstand a basic functionality test and not crash after a few minutes of normal use. They must also have working Help and Help -> About menu items". Dan, the selinux-policy -7 update has passed critpath testing now, so can you please submit it to stable? Thanks!
Comment 6 John Poelstra 2010-10-06 17:16:31 EDT
Dear Bug Reporter,

This blocker bug has been marked as fixed.  If possible could you verify that this problem is in fact fixed in the latest build?  Your help in completing this task and adding a comment to this bug prior to the next Fedora 14 Alpha Blocker meeting on Friday, October 8, 2010, would be most appreciated.

Thank you,
John
Comment 7 John Watzke 2010-10-06 21:21:00 EDT
Ah yes, I forgot to come put a comment in here.  It's fixed now.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.