Bug 1255627

Summary: Typo in suggested semanage command
Product: Red Hat Enterprise Linux 7 Reporter: Alexander Todorov <atodorov>
Component: setroubleshoot-pluginsAssignee: Vit Mojzis <vmojzis>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: atodorov, lvrabec, mgrepl, mmalik, plautrba, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setroubleshoot-plugins-3.0.67-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 09:47:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexander Todorov 2015-08-21 08:25:09 UTC 
Description of problem:

I got this hint after detected SELinux denial:


*****  Plugin bind_ports (50.5 confidence) suggests   ************************

If you want to allow /usr/lib64/firefox/plugin-container to bind to network port 5382
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 5382



The places of "-p" and "udp" need to be swapped.


Version-Release number of selected component (if applicable):
setroubleshoot-3.2.17-4.1.el7_1.x86_64

How reproducible:
Probably always

Steps to Reproduce:
1. Install bjnplugin_2.100.102.8-1.x86_64.rpm from 
from https://swdl.bluejeans.com/repos/bluejeans/x86_64/release/rpm
2. The GUI SELinux trouble shooter detects a problem. 
3. After clicking the UI to see what's wrong the above proposal is suggested

Actual results:
typo in suggested semanage command

Expected results:


Additional info:
I have my desktop localized in Bulgarian, but I believe these commands are not translated so this probably affects all languages.
Comment 1 Milos Malik 2015-08-24 10:27:04 UTC 
It seems that a SELinux type name was not provided by the setroubleshoot plugin:

# semanage port -a -t  -p udp 5382
Comment 2 Miroslav Grepl 2015-08-25 16:43:41 UTC 
Could you attach AVC denial?

Thank you.
Comment 3 Alexander Todorov 2015-08-26 08:02:20 UTC 
Here's everything the setroubleshoot tool gives me. You can find the avc denial at the bottom


SELinux is preventing /usr/lib64/firefox/plugin-container from name_bind access on the udp_socket port 5190.

*****  Plugin mozplugger (82.0 confidence) suggests   ************************

If you want to use the plugin package
Then вие трябва да изключите SELinux контрола върху Firefox плъгини.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin bind unreserved ports
Then you must tell SELinux about this by enabling the 'mozilla_plugin_bind_unreserved_ports' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_bind_unreserved_ports 1

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin use bluejeans
Then you must tell SELinux about this by enabling the 'mozilla_plugin_use_bluejeans' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_use_bluejeans 1

*****  Plugin catchall (1.58 confidence) suggests   **************************

If вярвате, че на plugin-container, по подразбиране,  трябва да е позволен достъп name_bind върху port 5190 udp_socket.
Then вие ще трябва да докладвате този бъг.
Можете да генерирате модул с локална политика за да позволите този достъп.
Do
позволете този достъп засега като изпълните:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:aol_port_t:s0
Target Objects                port 5190 [ udp_socket ]
Source                        plugin-containe
Source Path                   /usr/lib64/firefox/plugin-container
Port                          5190
Host                          aero
Source RPM Packages           firefox-38.2.0-4.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     aero
Platform                      Linux aero 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed
                              Jul 22 12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-08-21 11:16:12 EEST
Last Seen                     2015-08-21 11:16:12 EEST
Local ID                      3cfa5239-d77b-4e28-8346-765f52d35c30

Raw Audit Messages
type=AVC msg=audit(1440144972.253:2182): avc:  denied  { name_bind } for  pid=20404 comm="plugin-containe" src=5190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:aol_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1440144972.253:2182): arch=x86_64 syscall=bind success=no exit=EACCES a0=26 a1=7f4b5a0fae60 a2=10 a3=1 items=0 ppid=4379 pid=20404 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,aol_port_t,udp_socket,name_bind
Comment 6 Vit Mojzis 2018-03-14 11:33:30 UTC 
https://github.com/fedora-selinux/setroubleshoot/pull/69/commits/7543dc9d553a615fdef7a8af97b72d19c0bc3609
Comment 10 errata-xmlrpc 2018-10-30 09:47:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3101