Bug 637339 - empathy 2.31.90-2 blocked by SELinux
Summary: empathy 2.31.90-2 blocked by SELinux
Alias: None
Product: Fedora
Classification: Fedora
Component: empathy
Version: 14
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Brian Pepple
QA Contact: Fedora Extras Quality Assurance
Whiteboard: https://fedoraproject.org/wiki/Common...
Depends On:
Blocks: F14Blocker, F14FinalBlocker
TreeView+ depends on / blocked
Reported: 2010-09-25 01:28 UTC by John Watzke
Modified: 2010-10-07 01:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-10-07 01:24:27 UTC

Attachments (Terms of Use)

Description John Watzke 2010-09-25 01:28:59 UTC
Description of problem:
Cannot connect to yahoo using empathy

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start empathy
2. Try to connect to a Yahoo account (or probably any account)
3. Get connection error
Actual results:
Seems to be blocked by SELinux

Expected results:
Connect to yahoo

Additional info:

Here's some debug info thanks to fenris02:

type=AVC msg=audit(1285377244.752:78): avc:  denied  { read } for  pid=6314 comm="telepathy-haze" name="exe" dev=proc ino=8648 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


If I execute: "setenforce 0" I can connect.

Comment 1 John Watzke 2010-09-25 01:33:45 UTC
BTW, I think the AVC audit message says MSN because I had tried the AIM client first.

Comment 2 John Watzke 2010-09-25 01:50:10 UTC
Additional message:

type=AVC msg=audit(1285377925.037:93): avc:  denied  { name_connect } for  pid=6537 comm="telepathy-haze" dest=5050 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

Comment 3 Dominick Grift 2010-09-25 15:07:02 UTC
I commit the fix for connecting to tcp:5050.


The issue where haze wants to read /proc/1/exe is under investigation (appears to be a bug in libpurple according to the folks at #telepathy)

Comment 4 Daniel Walsh 2010-09-26 10:46:00 UTC
Fixed in selinux-policy-3.9.5-6.fc14

Comment 5 Adam Williamson 2010-10-01 17:02:22 UTC
This was discussed at the 2010-10-01 blocker review meeting. We accepted it as a blocker under the criterion "All applications listed under the Applications menu must withstand a basic functionality test and not crash after a few minutes of normal use. They must also have working Help and Help -> About menu items". Dan, the selinux-policy -7 update has passed critpath testing now, so can you please submit it to stable? Thanks!

Comment 6 John Poelstra 2010-10-06 21:16:31 UTC
Dear Bug Reporter,

This blocker bug has been marked as fixed.  If possible could you verify that this problem is in fact fixed in the latest build?  Your help in completing this task and adding a comment to this bug prior to the next Fedora 14 Alpha Blocker meeting on Friday, October 8, 2010, would be most appreciated.

Thank you,

Comment 7 John Watzke 2010-10-07 01:21:00 UTC
Ah yes, I forgot to come put a comment in here.  It's fixed now.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.