Bug 533438
| Summary: | SELinux is preventing /usr/bin/python from connecting to port 38555. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Víctor Daniel Martínez O. <vdanielmo> |
| Component: | abrt | Assignee: | Jiri Moskovcak <jmoskovc> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | anton, cheguaka, dfediuck, dvlasenk, dwalsh, iprikryl, james.antill, jmoskovc, kklic, mgrepl, mnowak, npajkovs |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f5fba03b09bc6b34fe63f54cb18b03305913d11d6a71142899dfbd6c5c4baf32 | ||
| Fixed In Version: | 1.0.0-1.fc12 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2009-12-01 04:38:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Why would yum be trying to connect to this port? Related with this: https://bugzilla.redhat.com/show_bug.cgi?id=533502 https://bugzilla.redhat.com/show_bug.cgi?id=533439 I was trying to connect irc whit telepathy, but telepathy-idle, crashed. abrt poped, and I tried to submit the bug.abrt tried to download 29 debuginfo packages via yum, the the three selinux errors came. I've no idea why yum would want to connect to this port. I guess if the user has a network local mirror which is defined as: http://local.example.com:38555/fedora ...that would do it. I haven't a network local mirror... It's a live USB image without overlay persistence. This bug -> 533690 was filed after the same steps. 1.- telepathy-idle crash 2.- abrt pop 3.- Download of debuginfo... The final step is https://bugzilla.redhat.com/show_bug.cgi?id=518390#c4 because of the bug 518390 duplicated in 533589 (I also have a wifi enabled by networkmanager applet) Can you run: fgrep 3855 /var/cache/yum/*/metalink.xml /var/cache/yum/*/mirrorlist.txt http://isc.sans.org/port.html?port=38555 we sure there isn't something else here? Don't know what you mean. This pair of pair of bugs were filed with the same steps. Ports differ. bug 533438 med low Linu jmoskovc NEW SELinux is preventing /usr/bin/python from connecting to port 38555. bug 533439 med low Linu jmoskovc CLOS RAWHIDE SELinux is preventing /usr/bin/python "name_connect" access. bug 533689 med low Linu dwalsh CLOS DUPLICATE SELinux is preventing /usr/bin/python "name_connect" access. bug 533690 med low Linu dwalsh CLOS RAWHIDE SELinux is preventing /usr/bin/python from connecting to port 18475. Is there a complete url that the process is attempting to access? I can't seem to find it in the output. It might help me understand what is going on here. I think it has to do with this bug https://bugzilla.redhat.com/show_bug.cgi?id=518390. Because if I restart abrt before I try to send the bug, setroubleshoot doesn't pop with this error. Then continues with [root@localhost ~]# ps -ef | grep -i python liveuser 1763 1641 0 22:58 ? 00:00:00 python /usr/share/system-config-printer/applet.py liveuser 2123 1 0 22:59 ? 00:00:03 /usr/bin/python /usr/libexec/telepathy-butterfly root 2286 1 0 23:11 ? 00:00:02 /usr/bin/python -E /usr/sbin/setroubleshootd -f liveuser 2295 1 0 23:11 ? 00:00:03 /usr/bin/python -E /usr/bin/sealert -s liveuser 2330 1 2 23:16 ? 00:00:43 /usr/bin/python /usr/share/abrt/CCMainWindow.py root 2599 2333 1 23:46 ? 00:00:02 /usr/bin/python /usr/bin/yumdownloader --enablerepo=*debuginfo* --quiet glibc-debuginfo-2.11-2.i686 root 2603 2067 0 23:48 pts/0 00:00:00 grep -i python [root@localhost ~]# ps -ef | grep -i abrt liveuser 1912 1641 0 22:58 ? 00:00:00 abrt-applet root 2098 1 0 22:59 ? 00:00:00 /usr/sbin/abrtd liveuser 2330 1 2 23:16 ? 00:00:45 /usr/bin/python /usr/share/abrt/CCMainWindow.py liveuser 2332 2098 0 23:16 ? 00:00:00 /usr/sbin/abrtd root 2333 2098 0 23:16 ? 00:00:00 /bin/sh /usr/bin/abrt-debuginfo-install /var/cache/abrt/ccpp-1257826416-2101/coredump /var/run/abrt/tmp-2333-1257826571 /var/cache/abrt-di ¿Makes it sense? Tested against http://alt.fedoraproject.org/pub/alt/nightly-composes/desktop/desktop-i386-20091109.15.iso Only this bug 533427 stays. Can't reproduce this bug. No mirrorlist.txt file behind /var/cache/yum [root@localhost yum]# fgrep 3855 /var/cache/yum/*/*/*/metalink.xml [root@localhost yum]# Nothing. #9 was tested against this image too. So bug 518390 seems unrelated. Perhaps closed bug 533439 bug 533690 did the job. I now allow abrt to connect to any port. I had several other bugs where abrt was connecting to semi-random ports. selinux-policy-targeted-3.6.32-43.fc12.noarch abrt-1.0.0-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/abrt-1.0.0-1.fc12 abrt-1.0.0-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update abrt'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12098 abrt-1.0.0-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. |
Summary: SELinux is preventing /usr/bin/python from connecting to port 38555. Detailed Description: SELinux has denied yum from connecting to a network port 38555 which does not have an SELinux type associated with it. If yum should be allowed to connect on 38555, use the semanage command to assign 38555 to a port type that abrt_t can connect to (http_port_t). If yum is not supposed to connect to 38555, this could signal a intrusion attempt. Allowing Access: If you want to allow yum to connect to 38555, you can execute semanage port -a -t PORT_TYPE -p tcp 38555 where PORT_TYPE is one of the following: http_port_t. Additional Information: Source Context system_u:system_r:abrt_t:s0 Target Context system_u:object_r:port_t:s0 Target Objects None [ tcp_socket ] Source yum Source Path /usr/bin/python Port 38555 Host (removed) Source RPM Packages python-2.6.2-2.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-40.fc12 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name connect_ports Host Name (removed) Platform Linux (removed) 2.6.31.5-115.fc12.i686 #1 SMP Wed Nov 4 00:45:40 EST 2009 i686 i686 Alert Count 1 First Seen Thu 05 Nov 2009 11:08:33 PM COT Last Seen Thu 05 Nov 2009 11:08:33 PM COT Local ID 7f9ed28b-12ca-4b0c-99f2-966c6d48ea0a Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1257480513.7:18768): avc: denied { name_connect } for pid=4767 comm="yum" dest=38555 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1257480513.7:18768): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=bfbef6b0 a2=618f80 a3=bfbef91c items=0 ppid=4766 pid=4767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0 key=(null) Hash String generated from selinux-policy-3.6.32-40.fc12,connect_ports,yum,abrt_t,port_t,tcp_socket,name_connect audit2allow suggests: #============= abrt_t ============== allow abrt_t port_t:tcp_socket name_connect;