Bug 1334756
| Summary: | SELinux is preventing /usr/sbin/asterisk from 'name_connect' accesses on the tcp_socket port 5222 | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Patrick Laimbock <patrick> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.7 | CC: | dapospis, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.7.19-296.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-03-21 09:46:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
@Lukas thanks for the fix for EL6. can you please confirm if this has been fixed for EL7 too? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |
Description of problem: SELinux is preventing /usr/sbin/asterisk from 'name_connect' accesses on the tcp_socket port 5222 Version-Release number of selected component (if applicable): selinux-policy-3.7.19-279.el6_7.9.noarch selinux-policy-targeted-3.7.19-279.el6_7.9.noarch How reproducible: Configure Asterisk as an XMPP client of an XMPP server (Prosody in this case). When Asterisk tries to authenticate to the XMPP serer, the AVCs start to show up: type=AVC msg=audit(1462870342.402:9362): avc: denied { name_connect } for pid=12367 comm="asterisk" dest=5222 scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:jabber_client_port_t:s0 tclass=tcp_socket Steps to Reproduce: 1. configure XMPP server (Prosody) 2. configure Asterisk as an XMPP client of the XMPP server 3. see AVCs when Asterisk tries the authenticate to the XMPP server Actual results: type=AVC msg=audit(1462870342.402:9362): avc: denied { name_connect } for pid=12367 comm="asterisk" dest=5222 scontext=unconfined_u:system_r:asterisk_t:s0 tcontext=system_u:object_r:jabber_client_port_t:s0 tclass=tcp_socket With setenforce 0 authentication works fine. Expected results: No AVC and successful authentication. Additional info: This bug is a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=740905 where it was fixed for Fedora. It seems this fix did not make it into the EL6 branch. I'm not sure about EL7. Please add the fix from bz740905 to EL6 and EL7 too. FWIW XMPP uses the following ports: 5222 TCP XMPP client connection (RFC 3920) Official 5223 TCP XMPP client connection over SSL Unofficial 5269 TCP XMPP server connection (RFC 3920) Official 5298 TCP UDP XMPP JEP-0174: Link-Local Messaging / Official XEP-0174: Serverless Messaging 8010 TCP XMPP File transfers Unofficial And BOSH (Jabber over HTTP) can use 80 & 443.