Bug 1007558

Summary: irssi can't listen on high ports, even with relevant booleans set
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: dominick.grift, dwalsh, lvrabec, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.12.1-74.8.fc19 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-30 00:34:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Powell 2013-09-12 18:36:58 UTC 
irc_use_any_tcp_ports=_("Determine whether irc clients can listen on and connect to any unreserved TCP ports.") , so I expected running an irssi proxy to work, given:

rlpowell@stodi> sudo getsebool irssi_use_full_network
irssi_use_full_network --> on
rlpowell@stodi> sudo getsebool irc_use_any_tcp_ports
irc_use_any_tcp_ports --> on

But it doesn't:

type=AVC msg=audit(09/12/2013 11:31:30.525:158212) : avc:  denied  { listen } for  pid=18046 comm=irssi laddr=127.0.0.1 lport=31333 scontext=user_u:user_r:irc_t:s0 tcontext=user_u:user_r:irc_t:s0 tclass=tcp_socket

type=AVC msg=audit(09/12/2013 11:31:37.170:158217) : avc:  denied  { accept } for  pid=18046 comm=irssi laddr=127.0.0.1 lport=31333 scontext=user_u:user_r:irc_t:s0 tcontext=user_u:user_r:irc_t:s0 tclass=tcp_socket
Comment 1 Daniel Walsh 2013-09-16 18:14:15 UTC 
d25a543520aa5fd43cf05fabb1d14a4244ada81f fixes this in git.
Comment 2 Lukas Vrabec 2013-09-18 10:42:40 UTC 
back ported
Comment 3 Fedora Update System 2013-09-26 09:42:10 UTC 
selinux-policy-3.12.1-74.8.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.8.fc19
Comment 4 Fedora Update System 2013-09-27 00:47:11 UTC 
Package selinux-policy-3.12.1-74.8.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.8.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17739/selinux-policy-3.12.1-74.8.fc19
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2013-09-30 00:34:34 UTC 
selinux-policy-3.12.1-74.8.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 Robin Powell 2013-10-01 21:05:21 UTC 
Thank you so much! :D  It works.