It works fine if started by the user from a user shell: /usr/sbin/bitlbee -nvD It does not work fine startod as a service, which used to werk fine in FC14. It seems to be partially a selinux issue. selinux is preventing port 6667 access for some reason. grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp makes bitlbee at least start. Then I cant connect properly but that might be a problem on my end.
Could you please run sealert -b and file a bug against the corresponding AVC denial, please? Thank you
module bitlbee 1.0; require { type ircd_port_t; type bitlbee_t; class capability dac_override; class tcp_socket name_bind; } #============= bitlbee_t ============== allow bitlbee_t ircd_port_t:tcp_socket name_bind; allow bitlbee_t self:capability dac_override; While we're at it, please update to 3.0.3. Twitter changed their API, older versions can no longer connect.
bitlbee-3.0.3-1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/bitlbee-3.0.3-1.fc15
*** Bug 662289 has been marked as a duplicate of this bug. ***
Unfortunately the problems are not solved. Running from the commandline as root as follows works: # bitlbee -nDv -u bitlbee bitlbee starts without any errors, runs as the user bitlbee and I am able to access it using irssi. MSN, Google and Twitter all work. Running bitblee as a systemd service still doesn't work at all due to the following SElinux errors. I am not running any custom policies. ==> /var/log/messages <== Jul 25 11:54:49 fw bitlbee[15391]: bind: Permission denied Jul 25 11:54:49 fw bitlbee[15391]: listen: Bad file descriptor Jul 25 11:54:49 fw systemd[1]: bitlbee.service: main process exited, code=exited, status=255 Jul 25 11:54:49 fw systemd[1]: Unit bitlbee.service entered failed state. Jul 25 11:54:50 fw dbus: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jul 25 11:54:54 fw setroubleshoot: SELinux is preventing /usr/sbin/bitlbee from using the dac_override capability. For complete SELinux messages. run sealert -l dc12ac00-cab4-442e-ae0f-81ca559bbf0e Jul 25 11:54:54 fw setroubleshoot: SELinux is preventing /usr/sbin/bitlbee from name_bind access on the tcp_socket port 6667. For complete SELinux messages. run sealert -l c527395a-6811-4f1e-b7c5-f2fc47dc559f # sealert -l dc12ac00-cab4-442e-ae0f-81ca559bbf0e SELinux is preventing /usr/sbin/bitlbee from using the dac_override capability. ***** Plugin dac_override (91.4 confidence) suggests *********************** If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system Then turn on full auditing to get path information about the offending file and generate the error again. Do Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. ***** Plugin catchall (9.59 confidence) suggests *************************** If you believe that bitlbee should have the dac_override capability by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # sealert -l c527395a-6811-4f1e-b7c5-f2fc47dc559f SELinux is preventing /usr/sbin/bitlbee from name_bind access on the tcp_socket port 6667. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that bitlbee should be allowed name_bind access on the port 6667 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # ausearch -m avc -ts recent ---- time->Mon Jul 25 11:54:49 2011 type=PATH msg=audit(1311587689.204:6698): item=0 name="/var/lib/bitlbee/" inode=6525 dev=fd:04 mode=040700 ouid=473 ogid=461 rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 type=CWD msg=audit(1311587689.204:6698): cwd="/" type=SYSCALL msg=audit(1311587689.204:6698): arch=40000003 syscall=33 success=no exit=-13 a0=80db910 a1=2 a2=4145e328 a3=80d8784 items=1 ppid=1 pid=15391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1311587689.204:6698): avc: denied { dac_override } for pid=15391 comm="bitlbee" capability=1 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability ---- time->Mon Jul 25 11:54:49 2011 type=SOCKADDR msg=audit(1311587689.213:6699): saddr=02001A0B7F0000010000000000000000 type=SOCKETCALL msg=audit(1311587689.213:6699): nargs=3 a0=4 a1=80ec320 a2=10 type=SYSCALL msg=audit(1311587689.213:6699): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bff3ff60 a2=80ec300 a3=bff3ff8c items=0 ppid=1 pid=15391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1311587689.213:6699): avc: denied { name_bind } for pid=15391 comm="bitlbee" src=6667 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket When setting SElinux to permissive I can use Twitter but MSN and Google still won't work. I am working on getting more logs.
(In reply to comment #5) > bitlbee starts without any errors, runs as the user bitlbee and I am able to > access it using irssi. MSN, Google and Twitter all work. Yes, because we followed the upstream recommendation and used -F instead of -D. Try package from this koji scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=3228302. Does it work better?
Package bitlbee-3.0.3-1.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing bitlbee-3.0.3-1.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/bitlbee-3.0.3-1.fc15 then log in and leave karma (feedback).
The systemd issues are resolved, but the SElinux problems still remain. With SElinux permissive: ---- time->Tue Jul 26 11:55:21 2011 type=PATH msg=audit(1311674121.699:10556): item=0 name="/var/lib/bitlbee/" inode=6525 dev=fd:04 mode=040700 ouid=473 ogid=461 rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0 type=CWD msg=audit(1311674121.699:10556): cwd="/" type=SYSCALL msg=audit(1311674121.699:10556): arch=40000003 syscall=33 success=yes exit=0 a0=80db910 a1=2 a2=4145e328 a3=80d8784 items=1 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1311674121.699:10556): avc: denied { dac_override } for pid=28531 comm="bitlbee" capability=1 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability ---- time->Tue Jul 26 11:55:21 2011 type=SOCKADDR msg=audit(1311674121.720:10557): saddr=02001A0B7F0000010000000000000000 type=SOCKETCALL msg=audit(1311674121.720:10557): nargs=3 a0=4 a1=80ec400 a2=10 type=SYSCALL msg=audit(1311674121.720:10557): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf932d10 a2=80ec3e0 a3=bf932d3c items=0 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1311674121.720:10557): avc: denied { name_bind } for pid=28531 comm="bitlbee" src=6667 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket ---- time->Tue Jul 26 11:55:21 2011 type=PATH msg=audit(1311674121.725:10558): item=1 name="/var/run/bitlbee.sock" inode=3498921 dev=00:12 mode=0140755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0 type=PATH msg=audit(1311674121.725:10558): item=0 name="/var/run/" inode=6100 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 type=CWD msg=audit(1311674121.725:10558): cwd="/" type=SYSCALL msg=audit(1311674121.725:10558): arch=40000003 syscall=10 success=yes exit=0 a0=80af864 a1=1 a2=80ec3e0 a3=bf933034 items=2 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null) type=AVC msg=audit(1311674121.725:10558): avc: denied { unlink } for pid=28531 comm="bitlbee" name="bitlbee.sock" dev=tmpfs ino=3498921 scontext=system_u:system_r:bitlbee_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file
Scratch that last comment 8, don't ask how these came up... I updated the latest selinux policies from testing, did a relabel, started bitlbee, and got the errors from comment 8. Now I just did it again and it's gone... In short: bitlbee-3.0.3-2.fc15 works perfectly
bitlbee-3.0.3-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.