Podsumowanie: SELinux powstrzymuje /usr/bin/python "getattr" dostęp on /usr/bin/python Szczegółowy opis: SELinux odmówił telepathy-sunsh żądania dostępu. Ten dostęp nie jest konieczny dla telepathy-sunsh i może wskazywać na próbę włamania. Jest także możliwe, że określona wersja lub konfiguracja aplikacji powoduje, że wymaga ona teg Zezwalanie na dostęp: Można utworzyć moduł polityki lokalnej, aby umożliwić ten dostęp - proszę zobaczyć FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Proszę zgłosić raport Dodatkowe informacje: Kontekst źródłowy unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Kontekst docelowy system_u:object_r:bin_t:s0 Obiekty docelowe /usr/bin/python [ file ] Źródło telepathy-sunsh Ścieżka źródłowa /usr/bin/python Port <Nieznane> Komputer (usunięto) Źródłowe pakiety RPM python-2.7-8.fc14.1 Docelowe pakiety RPM python-2.7-8.fc14.1 Pakiet RPM polityki selinux-policy-3.9.5-7.fc14 SELinux jest włączony True Typ polityki targeted Tryb wymuszania Enforcing Nazwa wtyczki catchall Nazwa komputera (usunięto) Platforma Linux (usunięto) 2.6.35.4-28.fc14.i686.PAE #1 SMP Wed Sep 15 01:57:00 UTC 2010 i686 i686 Liczba alarmów 4 Po raz pierwszy śro, 29 wrz 2010, 23:20:15 Po raz ostatni śro, 29 wrz 2010, 23:29:47 Lokalny identyfikator f0e316f4-2c23-48e3-83d9-d69eaa0bb2b6 Liczba wierszy Surowe komunikaty audytu node=(usunięto) type=AVC msg=audit(1285795787.889:18177): avc: denied { getattr } for pid=2146 comm="telepathy-sunsh" path="/usr/bin/python" dev=dm-0 ino=269795 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=(usunięto) type=SYSCALL msg=audit(1285795787.889:18177): arch=40000003 syscall=196 success=no exit=-13 a0=8d9b4c0 a1=bfd8c52c a2=344ff4 a3=8d9b4c0 items=0 ppid=2145 pid=2146 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null) Hash String generated from catchall,telepathy-sunsh,telepathy_sunshine_t,bin_t,file,getattr audit2allow suggests: #============= telepathy_sunshine_t ============== allow telepathy_sunshine_t bin_t:file getattr;
Sorry for Polish language, I'm not sure how to switch it to English. It is likely that this bug is preventing empathy from launching telepathy-sunshine properly. As a result, telepathy-sunshine works when started from the command line and then connected to with empathy, but when empathy is supposed to start telepathy-sunshine itself, it fails. CCing telepathy-sunshine upstream developer.
Yep, it works in permissive mode. There are more alerts, I'll file one per comment to make it manageable.
Summary: SELinux is preventing /usr/bin/python "getattr" access on /usr/bin/python. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context system_u:object_r:bin_t:s0 Target Objects /usr/bin/python [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.7-7.fc14 Target RPM Packages python-2.7-7.fc14 Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:22 AM EDT Last Seen Thu 30 Sep 2010 12:07:22 AM EDT Local ID a53d2741-2f69-497f-8ce5-b6fc3bd236a4 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1285819642.208:61): avc: denied { getattr } for pid=2950 comm="telepathy-sunsh" path="/usr/bin/python" dev=dm-0 ino=11869 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1285819642.208:61): arch=c000003e syscall=6 success=yes exit=0 a0=1db1ba0 a1=7fffe4b02a40 a2=7fffe4b02a40 a3=ffffffffffffffff items=0 ppid=2949 pid=2950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "getattr" access to /home/liveuser/.telepathy-sunshine/xxx/profile.xml. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. /home/liveuser/.telepathy-sunshine/xxx/profile.xml may be a mislabeled. /home/liveuser/.telepathy-sunshine/xxx/profile.xml default SELinux type is user_home_t, but its current type is user_home_dir_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creating a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/home/liveuser/.telepathy-sunshine/xxx/profile.xml', if this file is a directory, you can recursively restore using restorecon -R '/home/liveuser/.telepathy-sunshine/xxx/profile.xml'. Fix Command: /sbin/restorecon '/home/liveuser/.telepathy-sunshine/xxx/profile.xml' Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /home/liveuser/.telepathy- sunshine/xxx/profile.xml [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name restorecon Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:22 AM EDT Last Seen Thu 30 Sep 2010 12:07:22 AM EDT Local ID 13178c6e-59cd-475f-8bba-bf3d65b8f74a Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819642.976:62): avc: denied { getattr } for pid=2950 comm="telepathy-sunsh" path="/home/liveuser/.telepathy-sunshine/xxx/profile.xml" dev=dm-0 ino=70650 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285819642.976:62): arch=c000003e syscall=4 success=yes exit=0 a0=2c00100 a1=7fffe4b084c0 a2=7fffe4b084c0 a3=6968736e75732d79 items=0 ppid=1 pid=2950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "read" access on profile.xml. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects profile.xml [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 30 Sep 2010 12:07:22 AM EDT Last Seen Thu 30 Sep 2010 12:07:22 AM EDT Local ID dea57274-2fa0-4efc-976c-8dd6f6428127 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819642.977:63): avc: denied { read } for pid=2950 comm="telepathy-sunsh" name="profile.xml" dev=dm-0 ino=70650 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1285819642.977:63): avc: denied { open } for pid=2950 comm="telepathy-sunsh" name="profile.xml" dev=dm-0 ino=70650 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285819642.977:63): arch=c000003e syscall=2 success=yes exit=15 a0=2c00100 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=2950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "create" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Objects None [ netlink_route_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID 4977daf9-1c38-469a-b97d-60d3a7c5e365 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.484:64): avc: denied { create } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.484:64): arch=c000003e syscall=41 success=yes exit=16 a0=10 a1=3 a2=0 a3=a items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "bind" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Objects None [ netlink_route_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID 66893a2b-f4a3-48a0-aecf-8a4ac1d6def0 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.485:65): avc: denied { bind } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.485:65): arch=c000003e syscall=49 success=yes exit=0 a0=10 a1=7fb9702979f0 a2=c a3=a items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "getattr" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Objects None [ netlink_route_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID a58a0590-09f5-4d6a-a1c5-138904f362c0 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.485:66): avc: denied { getattr } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.485:66): arch=c000003e syscall=51 success=yes exit=0 a0=10 a1=7fb9702979f0 a2=7fb9702979fc a3=a items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "write" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Objects None [ netlink_route_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID e9f4ea2d-da26-4f31-89b3-8632d88be25e Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.485:67): avc: denied { write } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=AVC msg=audit(1285819644.485:67): avc: denied { nlmsg_read } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.485:67): arch=c000003e syscall=44 success=yes exit=20 a0=10 a1=7fb970297970 a2=14 a3=0 items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "read" access . Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Objects None [ netlink_route_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID 50a3dbb3-8246-49d0-9788-3743f2a5939c Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.485:68): avc: denied { read } for pid=2954 comm="telepathy-sunsh" scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tclass=netlink_route_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.485:68): arch=c000003e syscall=47 success=yes exit=108 a0=10 a1=7fb970297930 a2=0 a3=0 items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "read" access on resolv.conf. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. The current boolean settings do not allow this access. If you have not setup telepathy-sunsh to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_ypbind is set incorrectly. Boolean Description: Allow system to run with NIS Fix Command: # setsebool -P allow_ypbind 1 Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context system_u:object_r:net_conf_t:s0 Target Objects resolv.conf [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID dd23a34a-fb43-4d9d-a9ac-2b92841acda6 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.486:69): avc: denied { read } for pid=2954 comm="telepathy-sunsh" name="resolv.conf" dev=dm-0 ino=44671 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file node=localhost.localdomain type=AVC msg=audit(1285819644.486:69): avc: denied { open } for pid=2954 comm="telepathy-sunsh" name="resolv.conf" dev=dm-0 ino=44671 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285819644.486:69): arch=c000003e syscall=2 success=yes exit=16 a0=7fb985ee2d31 a1=0 a2=1b6 a3=2 items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "getattr" access on /etc/resolv.conf. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. The current boolean settings do not allow this access. If you have not setup telepathy-sunsh to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_ypbind is set incorrectly. Boolean Description: Allow system to run with NIS Fix Command: # setsebool -P allow_ypbind 1 Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context system_u:object_r:net_conf_t:s0 Target Objects /etc/resolv.conf [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID 05fb9ad0-6e9e-44ad-b14f-6c72ad1233d7 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.486:70): avc: denied { getattr } for pid=2954 comm="telepathy-sunsh" path="/etc/resolv.conf" dev=dm-0 ino=44671 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:net_conf_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285819644.486:70): arch=c000003e syscall=5 success=yes exit=0 a0=10 a1=7fb970295260 a2=7fb970295260 a3=2 items=0 ppid=1 pid=2954 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "name_connect" access on <Unknown>. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. The current boolean settings do not allow this access. If you have not setup telepathy-sunsh to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. Allowing Access: Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. The boolean allow_ypbind is set incorrectly. Boolean Description: Allow system to run with NIS Fix Command: # setsebool -P allow_ypbind 1 Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context system_u:object_r:http_port_t:s0 Target Objects None [ tcp_socket ] Source telepathy-sunsh Source Path /usr/bin/python Port 80 Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall_boolean Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:24 AM EDT Last Seen Thu 30 Sep 2010 12:07:24 AM EDT Local ID 7ccaa05c-9aa1-46d6-840e-e219b28c8173 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819644.936:71): avc: denied { name_connect } for pid=2950 comm="telepathy-sunsh" dest=80 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket node=localhost.localdomain type=SYSCALL msg=audit(1285819644.936:71): arch=c000003e syscall=42 success=no exit=-115 a0=f a1=7fffe4b07d50 a2=10 a3=1999999999999999 items=0 ppid=1 pid=2950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null)
Summary: SELinux is preventing /usr/bin/python "write" access on profile.xml. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by telepathy-sunsh. It is not expected that this access is required by telepathy-sunsh and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:unconfined_r:telepathy_sunshine_t:s0- s0:c0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects profile.xml [ file ] Source telepathy-sunsh Source Path /usr/bin/python Port <Unknown> Host localhost.localdomain Source RPM Packages python-2.7-7.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.5-7.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.35.4-28.fc14.x86_64 #1 SMP Wed Sep 15 01:56:54 UTC 2010 x86_64 x86_64 Alert Count 1 First Seen Thu 30 Sep 2010 12:07:26 AM EDT Last Seen Thu 30 Sep 2010 12:07:26 AM EDT Local ID ee285cda-8f3b-4618-b7b0-2d513ca1c335 Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1285819646.168:72): avc: denied { write } for pid=2950 comm="telepathy-sunsh" name="profile.xml" dev=dm-0 ino=70650 scontext=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1285819646.168:72): arch=c000003e syscall=2 success=yes exit=16 a0=2fa3a70 a1=241 a2=1b6 a3=0 items=0 ppid=1 pid=2950 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="telepathy-sunsh" exe="/usr/bin/python" subj=unconfined_u:unconfined_r:telepathy_sunshine_t:s0-s0:c0.c1023 key=(null) That seems to be it, sorry for the email flood.
Dominick I am adding telepathy_sunshine_home_t and corecmd_exec_bin
I would probably add corecmd_getattr_bin_files() instead because it wants to get attributes of /usr/bin/python. Not sure if and why sunshine would ever need to execute it. Also looks like it wants IPC: netlink_route_socket create_netlink_socket_perms; Thanks
I talked briefly with kkszysiu and he said that he should have some time over weekend to have a look and answer the if and why question. kkszysiu?
Also, if you need to test the stuff yourselves, you can open a gg account here: https://login.gadu-gadu.pl/account/register/ Click the Union Flag for English.
Hmm i am actually not sure if its /usr/bin/python it is trying to get attributes of, but in any case there is no proof of sunshine executing any bin_t file in the AVC denials above.
Doesn't netlink_route_socket create_netlink_socket_perms; means that it can modify the routing table? Are you sure it does not need to read it? allow $1 self:netlink_route_socket r_netlink_socket_perms;
Whoop sorry, yes i mean r_netlink_socket_perms..
Usually this means it needs auth_read_nsswitch() because it is doing getpw call.
I have given selinux-policy-3.9.5-10.fc14 a shot, and these warnings seem to remain. I have updated selinux, rebooted the system and deleted and then recreated the test telepathy account.
I have turned off the policy for telepathy, so fresh installs of F14 will not get the policy. This does not work for people who had it installed during the beta. So I guess I have to install the package and remove the transition, for now. Fixed in selinux-policy-3.9.5-11.fc14
Still no difference. I noticed the following error during update though: libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed!
-11 was broken. Try selinux-policy-3.9.6-1.fc14.noarch.rpm
Things seem to work now. Should we keep this open until this package hits the repos?
Yes. Although Update karma when you see the link in this bugzilla, please.
selinux-policy-3.9.7-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-1.fc14
selinux-policy-3.9.7-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-1.fc14
selinux-policy-3.9.7-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.