Bug 467352
| Summary: | SELinux is preventing npviewer.bin (nsplugin_t) "name_connect" hi_reserved_port_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Alex Chiang <achiang> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | caillon, dwalsh, jkubin, mgrepl, quantumburnz, stransky, wtogami |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2008-10-29 17:27:11 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Alex Chiang
2008-10-17 01:35:11 UTC
Oops, sorry -- copy and paste error in comment #1. This is the correct report. Summary: SELinux is preventing npviewer.bin (nsplugin_t) "name_connect" hi_reserved_port_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:hi_reserved_port_t:s0 Target Objects None [ tcp_socket ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port 843 Host ethanol Source RPM Packages nspluginwrapper-1.1.0-11.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-2.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name ethanol Platform Linux ethanol 2.6.27-13.fc10.i686 #1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686 Alert Count 4 First Seen Thu 16 Oct 2008 07:22:23 PM MDT Last Seen Thu 16 Oct 2008 10:13:21 PM MDT Local ID 3bf5d9b8-f9ea-431b-ac68-606f6cf39805 Line Numbers Raw Audit Messages node=ethanol type=AVC msg=audit(1224216801.494:261): avc: denied { name_connect } for pid=6379 comm="npviewer.bin" dest=843 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=tcp_socket node=ethanol type=SYSCALL msg=audit(1224216801.494:261): arch=40000003 syscall=102 success=no exit=-111 a0=3 a1=b0dd6240 a2=1575de8 a3=0 items=0 ppid=6343 pid=6379 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null) Is this flash listening at port 843? You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-6.fc10 |