Bug 699244 - SELinux is preventing /usr/libexec/telepathy-gabble from using the 'fork' accesses on a process.
Summary: SELinux is preventing /usr/libexec/telepathy-gabble from using the 'fork' acc...
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:8360e7642d6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-24 15:12 UTC by James Cape
Modified: 2011-04-25 13:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-04-25 13:28:01 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description James Cape 2011-04-24 15:12:19 UTC 
SELinux is preventing /usr/libexec/telepathy-gabble from using the 'fork' accesses on a process.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that telepathy-gabble should be allowed fork access on processes labeled unlabeled_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep telepathy-gabbl /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:object_r:unlabeled_t:s0
Target Context                system_u:object_r:unlabeled_t:s0
Target Objects                Unknown [ process ]
Source                        telepathy-gabbl
Source Path                   /usr/libexec/telepathy-gabble
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           telepathy-gabble-0.11.8-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-15.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38.2-9.fc15.x86_64 #1 SMP Wed Mar
                              30 16:55:57 UTC 2011 x86_64 x86_64
Alert Count                   1
First Seen                    Fri 22 Apr 2011 09:32:47 PM CDT
Last Seen                     Fri 22 Apr 2011 09:32:47 PM CDT
Local ID                      ba0dddf1-fb0f-4e83-a5a4-640012b09382

Raw Audit Messages
type=AVC msg=audit(1303525967.645:174): avc:  denied  { fork } for  pid=3078 comm="telepathy-gabbl" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process


type=SYSCALL msg=audit(1303525967.645:174): arch=x86_64 syscall=clone success=no exit=EACCES a0=3d0f00 a1=7fd99274ced0 a2=7fd99274d9d0 a3=7fd99274d9d0 items=0 ppid=1 pid=3078 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm=telepathy-gabbl exe=/usr/libexec/telepathy-gabble subj=system_u:object_r:unlabeled_t:s0 key=(null)

Hash: telepathy-gabbl,unlabeled_t,unlabeled_t,process,fork

audit2allow

#============= unlabeled_t ==============
allow unlabeled_t self:process fork;

audit2allow -R

#============= unlabeled_t ==============
allow unlabeled_t self:process fork;
Comment 1 Daniel Walsh 2011-04-25 13:28:01 UTC 
Please log out an dback in and your telepathy apps will be running with the right context.

This is just an update problem and we can not cleanly fix it.  It will not happen in release.
Note You need to log in before you can comment on or make changes to this bug.