Bug 705096 - bitlbee no longer works in FC15
Summary: bitlbee no longer works in FC15
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: bitlbee
Version: 15
Hardware: Unspecified
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 662289 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-05-16 15:43 UTC by Joakim Verona
Modified: 2018-04-11 15:04 UTC (History)
5 users (show)

Fixed In Version: bitlbee-3.0.3-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-07-31 03:58:13 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Joakim Verona 2011-05-16 15:43:37 UTC
It works fine if started by the user from a user shell:

/usr/sbin/bitlbee -nvD

It does not work fine startod as a service, which used to werk fine in FC14.
It seems to be partially a selinux issue.

selinux is preventing port 6667 access for some reason.

grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

makes bitlbee at least start. Then I cant connect properly but that might be a problem on my end.

Comment 1 Matěj Cepl 2011-05-16 22:06:36 UTC
Could you please run

sealert -b

and file a bug against the corresponding AVC denial, please?

Thank you

Comment 2 Marco Hartgring 2011-07-12 10:00:04 UTC
module bitlbee 1.0;

require {
        type ircd_port_t;
        type bitlbee_t;
        class capability dac_override;
        class tcp_socket name_bind;
}

#============= bitlbee_t ==============
allow bitlbee_t ircd_port_t:tcp_socket name_bind;
allow bitlbee_t self:capability dac_override;


While we're at it, please update to 3.0.3. Twitter changed their API, older versions can no longer connect.

Comment 3 Fedora Update System 2011-07-24 21:52:29 UTC
bitlbee-3.0.3-1.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/bitlbee-3.0.3-1.fc15

Comment 4 Matěj Cepl 2011-07-24 21:53:54 UTC
*** Bug 662289 has been marked as a duplicate of this bug. ***

Comment 5 Marco Hartgring 2011-07-25 10:01:18 UTC
Unfortunately the problems are not solved.

Running from the commandline as root as follows works:

# bitlbee -nDv -u bitlbee

bitlbee starts without any errors, runs as the user bitlbee and I am able to access it using irssi. MSN, Google and Twitter all work.

Running bitblee as a systemd service still doesn't work at all due to the following SElinux errors. I am not running any custom policies.

==> /var/log/messages <==
Jul 25 11:54:49 fw bitlbee[15391]: bind: Permission denied
Jul 25 11:54:49 fw bitlbee[15391]: listen: Bad file descriptor
Jul 25 11:54:49 fw systemd[1]: bitlbee.service: main process exited, code=exited, status=255
Jul 25 11:54:49 fw systemd[1]: Unit bitlbee.service entered failed state.
Jul 25 11:54:50 fw dbus: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jul 25 11:54:54 fw setroubleshoot: SELinux is preventing /usr/sbin/bitlbee from using the dac_override capability. For complete SELinux messages. run sealert -l dc12ac00-cab4-442e-ae0f-81ca559bbf0e
Jul 25 11:54:54 fw setroubleshoot: SELinux is preventing /usr/sbin/bitlbee from name_bind access on the tcp_socket port 6667. For complete SELinux messages. run sealert -l c527395a-6811-4f1e-b7c5-f2fc47dc559f


# sealert -l dc12ac00-cab4-442e-ae0f-81ca559bbf0e
SELinux is preventing /usr/sbin/bitlbee from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests  ***********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests  ***************************

If you believe that bitlbee should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


# sealert -l c527395a-6811-4f1e-b7c5-f2fc47dc559f
SELinux is preventing /usr/sbin/bitlbee from name_bind access on the tcp_socket port 6667.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bitlbee should be allowed name_bind access on the port 6667 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep bitlbee /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

# ausearch -m avc -ts recent
----
time->Mon Jul 25 11:54:49 2011
type=PATH msg=audit(1311587689.204:6698): item=0 name="/var/lib/bitlbee/" inode=6525 dev=fd:04 mode=040700 ouid=473 ogid=461 rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0
type=CWD msg=audit(1311587689.204:6698):  cwd="/"
type=SYSCALL msg=audit(1311587689.204:6698): arch=40000003 syscall=33 success=no exit=-13 a0=80db910 a1=2 a2=4145e328 a3=80d8784 items=1 ppid=1 pid=15391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(1311587689.204:6698): avc:  denied  { dac_override } for  pid=15391 comm="bitlbee" capability=1  scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability
----
time->Mon Jul 25 11:54:49 2011
type=SOCKADDR msg=audit(1311587689.213:6699): saddr=02001A0B7F0000010000000000000000
type=SOCKETCALL msg=audit(1311587689.213:6699): nargs=3 a0=4 a1=80ec320 a2=10
type=SYSCALL msg=audit(1311587689.213:6699): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bff3ff60 a2=80ec300 a3=bff3ff8c items=0 ppid=1 pid=15391 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(1311587689.213:6699): avc:  denied  { name_bind } for  pid=15391 comm="bitlbee" src=6667 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket


When setting SElinux to permissive I can use Twitter but MSN and Google still won't work. I am working on getting more logs.

Comment 6 Matěj Cepl 2011-07-25 18:09:25 UTC
(In reply to comment #5)
> bitlbee starts without any errors, runs as the user bitlbee and I am able to
> access it using irssi. MSN, Google and Twitter all work.

Yes, because we followed the upstream recommendation and used -F instead of -D. Try package from this koji scratch build http://koji.fedoraproject.org/koji/taskinfo?taskID=3228302. Does it work better?

Comment 7 Fedora Update System 2011-07-26 03:35:32 UTC
Package bitlbee-3.0.3-1.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing bitlbee-3.0.3-1.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/bitlbee-3.0.3-1.fc15
then log in and leave karma (feedback).

Comment 8 Marco Hartgring 2011-07-26 09:58:12 UTC
The systemd issues are resolved, but the SElinux problems still remain.

With SElinux permissive:

----
time->Tue Jul 26 11:55:21 2011
type=PATH msg=audit(1311674121.699:10556): item=0 name="/var/lib/bitlbee/" inode=6525 dev=fd:04 mode=040700 ouid=473 ogid=461 rdev=00:00 obj=system_u:object_r:bitlbee_var_t:s0
type=CWD msg=audit(1311674121.699:10556):  cwd="/"
type=SYSCALL msg=audit(1311674121.699:10556): arch=40000003 syscall=33 success=yes exit=0 a0=80db910 a1=2 a2=4145e328 a3=80d8784 items=1 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(1311674121.699:10556): avc:  denied  { dac_override } for  pid=28531 comm="bitlbee" capability=1  scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:system_r:bitlbee_t:s0 tclass=capability
----
time->Tue Jul 26 11:55:21 2011
type=SOCKADDR msg=audit(1311674121.720:10557): saddr=02001A0B7F0000010000000000000000
type=SOCKETCALL msg=audit(1311674121.720:10557): nargs=3 a0=4 a1=80ec400 a2=10
type=SYSCALL msg=audit(1311674121.720:10557): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bf932d10 a2=80ec3e0 a3=bf932d3c items=0 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(1311674121.720:10557): avc:  denied  { name_bind } for  pid=28531 comm="bitlbee" src=6667 scontext=system_u:system_r:bitlbee_t:s0 tcontext=system_u:object_r:ircd_port_t:s0 tclass=tcp_socket
----
time->Tue Jul 26 11:55:21 2011
type=PATH msg=audit(1311674121.725:10558): item=1 name="/var/run/bitlbee.sock" inode=3498921 dev=00:12 mode=0140755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0
type=PATH msg=audit(1311674121.725:10558): item=0 name="/var/run/" inode=6100 dev=00:12 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(1311674121.725:10558):  cwd="/"
type=SYSCALL msg=audit(1311674121.725:10558): arch=40000003 syscall=10 success=yes exit=0 a0=80af864 a1=1 a2=80ec3e0 a3=bf933034 items=2 ppid=1 pid=28531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="bitlbee" exe="/usr/sbin/bitlbee" subj=system_u:system_r:bitlbee_t:s0 key=(null)
type=AVC msg=audit(1311674121.725:10558): avc:  denied  { unlink } for  pid=28531 comm="bitlbee" name="bitlbee.sock" dev=tmpfs ino=3498921 scontext=system_u:system_r:bitlbee_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

Comment 9 Marco Hartgring 2011-07-26 10:02:04 UTC
Scratch that last comment 8, don't ask how these came up...
I updated the latest selinux policies from testing, did a relabel, started bitlbee, and got the errors from comment 8. Now I just did it again and it's gone...

In short: bitlbee-3.0.3-2.fc15 works perfectly

Comment 10 Fedora Update System 2011-07-31 03:58:06 UTC
bitlbee-3.0.3-1.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.