Bug 1003236

Summary: SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: vikram goyal <vikigoyal>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:e1a3b68a511ca213f34827b7cb1fb4c631dd0e8aa60bda4392d6a1feb547fdc2
Fixed In Version: selinux-policy-3.11.1-103.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-23 00:43:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description vikram goyal 2013-09-01 08:23:02 UTC 
Description of problem:
Hi,

I configured Privoxy -> Polipo -> TOR on my system.

Polipo needs to resolve hostnames etc & for that it needs these permissions by default.

SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow polipo to connect to all ports > 1023
Then you must tell SELinux about this by enabling the 'polipo_connect_all_unreserved' boolean.
You can read 'tor_selinux' man page for more details.
Do
setsebool -P polipo_connect_all_unreserved 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that polipo should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polipo /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:polipo_t:s0
Target Context                system_u:object_r:tor_socks_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        polipo
Source Path                   /usr/bin/polipo
Port                          9050
Host                          (removed)
Source RPM Packages           polipo-1.0.4.1-9.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-100.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-100.fc18.i686 #1 SMP Wed
                              Aug 21 18:49:36 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-09-01 13:48:44 IST
Last Seen                     2013-09-01 13:48:44 IST
Local ID                      cb614b43-970f-4f15-bc4b-c789b2362564

Raw Audit Messages
type=AVC msg=audit(1378023524.267:502): avc:  denied  { name_connect } for  pid=19750 comm="polipo" dest=9050 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:tor_socks_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1378023524.267:502): arch=i386 syscall=socketcall success=no exit=EINPROGRESS a0=3 a1=bff28c10 a2=976aa50 a3=97697e8 items=0 ppid=1 pid=19750 auid=4294967295 uid=986 gid=984 euid=986 suid=986 fsuid=986 egid=984 sgid=984 fsgid=984 ses=4294967295 tty=(none) comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null)

Hash: polipo,polipo_t,tor_socks_port_t,tcp_socket,name_connect

audit2allow

#============= polipo_t ==============
#!!!! This avc can be allowed using the boolean 'polipo_connect_all_unreserved'

allow polipo_t tor_socks_port_t:tcp_socket name_connect;

audit2allow -R
require {
	type polipo_t;
}

#============= polipo_t ==============
corenet_tcp_connect_tor_socks_port(polipo_t)


Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-100.fc18.i686
type:           libreport

Potential duplicate: bug 841985
Comment 1 Lukas Vrabec 2013-09-02 10:52:11 UTC 
Hi Vikram, 

You could turn on Boolean, while we close this bug.

setsebool -P polipo_connect_all_unreserved 1
Comment 2 vikram goyal 2013-09-02 15:26:27 UTC 
Hello,

I did that but there also was a suggestion to create a local policy, which I did  & loaded it judiciously:) The local policy thus generated is as under. Posting it below for your reference.

Also, I was wondering if, isn't it better that polipo should be restricted to DNS port only rather than all ports below 1023. Just an inquisitiveness, I'm not an expert though. Thanks.


[root@vikram ~]# cat /etc/polipo/mypol.te 

module mypol 1.0;

require {
        type net_conf_t;
        type chrome_sandbox_t;
        type tor_socks_port_t;
        type user_home_dir_t;
        type ladvd_t;
        type sysfs_t;
        type var_lock_t;
        type bin_t;
        type apcupsd_t;
        type sysctl_net_t;
        type polipo_t;
        type var_run_t;
        class process { signal setcap };
        class capability { net_admin setpcap };
        class tcp_socket name_connect;
        class file { read create open execute };
        class sock_file create;
        class udp_socket connect;
}

#============= apcupsd_t ==============
allow apcupsd_t var_lock_t:file read;

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t user_home_dir_t:file create;

#============= ladvd_t ==============
allow ladvd_t bin_t:file execute;
allow ladvd_t net_conf_t:file open;
allow ladvd_t self:capability { net_admin setpcap };
allow ladvd_t self:process { signal setcap };
allow ladvd_t self:udp_socket connect;
allow ladvd_t sysctl_net_t:file open;
allow ladvd_t sysfs_t:file open;
allow ladvd_t var_run_t:sock_file create;

#============= polipo_t ==============
#!!!! This avc is allowed in the current policy

allow polipo_t tor_socks_port_t:tcp_socket name_connect;
Comment 3 Lukas Vrabec 2013-09-02 18:21:16 UTC 
Thank you Vikram for your help but we have found solution how fix this bug. :)
Comment 5 Fedora Update System 2013-09-10 11:16:23 UTC 
selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18
Comment 6 Fedora Update System 2013-09-11 01:57:02 UTC 
Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16344/selinux-policy-3.11.1-103.fc18
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-09-23 00:43:05 UTC 
selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.