Bug 637339 - empathy 2.31.90-2 blocked by SELinux
Summary: empathy 2.31.90-2 blocked by SELinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: empathy
Version: 14
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Brian Pepple
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: https://fedoraproject.org/wiki/Common...
Depends On:
Blocks: F14Blocker, F14FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2010-09-25 01:28 UTC by John Watzke
Modified: 2010-10-07 01:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-07 01:24:27 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description John Watzke 2010-09-25 01:28:59 UTC 
Description of problem:
Cannot connect to yahoo using empathy

Version-Release number of selected component (if applicable):
empathy-2.31.90-2.fc14.x86_64


How reproducible:
Always

Steps to Reproduce:
1. Start empathy
2. Try to connect to a Yahoo account (or probably any account)
3. Get connection error
  
Actual results:
Seems to be blocked by SELinux

Expected results:
Connect to yahoo

Additional info:

Here's some debug info thanks to fenris02:

type=AVC msg=audit(1285377244.752:78): avc:  denied  { read } for  pid=6314 comm="telepathy-haze" name="exe" dev=proc ino=8648 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=lnk_file

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.


===============

If I execute: "setenforce 0" I can connect.
Comment 1 John Watzke 2010-09-25 01:33:45 UTC 
BTW, I think the AVC audit message says MSN because I had tried the AIM client first.
Comment 2 John Watzke 2010-09-25 01:50:10 UTC 
Additional message:

type=AVC msg=audit(1285377925.037:93): avc:  denied  { name_connect } for  pid=6537 comm="telepathy-haze" dest=5050 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:mmcc_port_t:s0 tclass=tcp_socket

	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.
Comment 3 Dominick Grift 2010-09-25 15:07:02 UTC 
I commit the fix for connecting to tcp:5050.

http://git.fedorahosted.org/git/?p=selinux-policy.git;a=commitdiff;h=e66aa74b4a5d36a49d1e35c7ee25a881e8ea0f3b

The issue where haze wants to read /proc/1/exe is under investigation (appears to be a bug in libpurple according to the folks at #telepathy)
Comment 4 Daniel Walsh 2010-09-26 10:46:00 UTC 
Fixed in selinux-policy-3.9.5-6.fc14
Comment 5 Adam Williamson 2010-10-01 17:02:22 UTC 
This was discussed at the 2010-10-01 blocker review meeting. We accepted it as a blocker under the criterion "All applications listed under the Applications menu must withstand a basic functionality test and not crash after a few minutes of normal use. They must also have working Help and Help -> About menu items". Dan, the selinux-policy -7 update has passed critpath testing now, so can you please submit it to stable? Thanks!
Comment 6 John Poelstra 2010-10-06 21:16:31 UTC 
Dear Bug Reporter,

This blocker bug has been marked as fixed.  If possible could you verify that this problem is in fact fixed in the latest build?  Your help in completing this task and adding a comment to this bug prior to the next Fedora 14 Alpha Blocker meeting on Friday, October 8, 2010, would be most appreciated.

Thank you,
John
Comment 7 John Watzke 2010-10-07 01:21:00 UTC 
Ah yes, I forgot to come put a comment in here.  It's fixed now.  Thanks!
Note You need to log in before you can comment on or make changes to this bug.