Bug 1128947
| Summary: | SELinux is preventing /usr/sbin/sstpc from 'name_connect' accesses on the tcp_socket . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Andreas Lindhé <Lindhe94> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:19bc7230787740b78c7546052d82ff679b566c5d32846ba04423dbd478fb63fa | ||
| Fixed In Version: | selinux-policy-3.12.1-182.fc20 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-30 03:54:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Currently we do not allow pppd_t to connect to apache ports. We do allow pptp to do this? http://rpm.pbone.net/index.php3/stat/45/idpl/17966590/numer/8/nazwa/sstpc Indicates this is expected behaviour so I guess we need to allow it. commit 95c8e1cd79681e8a57664394e16069a110b02154
Author: Lukas Vrabec <lvrabec>
Date: Wed Aug 27 14:35:13 2014 +0200
Allow pppd to connect to http port. (#1128947)
https://github.com/selinux-policy/selinux-policy/commit/95c8e1cd79681e8a57664394e16069a110b02154
selinux-policy-3.12.1-182.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-182.fc20 Package selinux-policy-3.12.1-182.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-182.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9819/selinux-policy-3.12.1-182.fc20 then log in and leave karma (feedback). (In reply to Fedora Update System from comment #4) > Package selinux-policy-3.12.1-182.fc20: > * should fix your issue, > * was pushed to the Fedora 20 testing repository, > * should be available at your local mirror within two days. > Update it with: > # su -c 'yum update --enablerepo=updates-testing > selinux-policy-3.12.1-182.fc20' > as soon as you are able to. > Please go to the following url: > https://admin.fedoraproject.org/updates/FEDORA-2014-9819/selinux-policy-3.12. > 1-182.fc20 > then log in and leave karma (feedback). I installed the update, and other (but similar alerts popped up. Should I report them too, or should it be followed up in this thread somehow? selinux-policy-3.12.1-182.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: I added a vpn and it crashed when I tried to connect (via the menu in the top right corner in gnome 3) SELinux is preventing /usr/sbin/sstpc from 'name_connect' accesses on the tcp_socket . ***** Plugin catchall_boolean (89.3 confidence) suggests ****************** If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests ************************** If you believe that sstpc should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sstpc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:pppd_t:s0 Target Context system_u:object_r:http_port_t:s0 Target Objects [ tcp_socket ] Source sstpc Source Path /usr/sbin/sstpc Port 443 Host (removed) Source RPM Packages sstp-client-1.0.9-4.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-179.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.7-200.fc20.x86_64 #1 SMP Mon Jul 28 18:50:26 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-08-12 00:36:17 CEST Last Seen 2014-08-12 00:36:17 CEST Local ID d200c640-9c4c-4da4-bb3d-607996240657 Raw Audit Messages type=AVC msg=audit(1407796577.102:1161): avc: denied { name_connect } for pid=10210 comm="sstpc" dest=443 scontext=system_u:system_r:pppd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1407796577.102:1161): arch=x86_64 syscall=connect success=no exit=EACCES a0=8 a1=7f59fca5d408 a2=10 a3=7fff2600a97c items=0 ppid=10208 pid=10210 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=sstpc exe=/usr/sbin/sstpc subj=system_u:system_r:pppd_t:s0 key=(null) Hash: sstpc,pppd_t,http_port_t,tcp_socket,name_connect Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.7-200.fc20.x86_64 type: libreport