Bug 690005

Summary: SELinux is preventing /usr/libexec/telepathy-haze from 'name_connect' accesses on the tcp_socket port 4444.
Product: [Fedora] Fedora Reporter: Dawid Zamirski <dzrudy>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, mgrepl, nalin, ssorce
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:e6b50feb657b892a492b685c0e7ce89fc29c10b1d59e36a98e79acd99099a9c8
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-17 15:56:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Dawid Zamirski 2011-03-23 00:05:58 UTC 
SELinux is preventing /usr/libexec/telepathy-haze from 'name_connect' accesses on the tcp_socket port 4444.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that telepathy-haze should be allowed name_connect access on the port 4444 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep telepathy-haze /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0
                              .c1023
Target Context                system_u:object_r:kerberos_master_port_t:s0
Target Objects                port 4444 [ tcp_socket ]
Source                        telepathy-haze
Source Path                   /usr/libexec/telepathy-haze
Port                          4444
Host                          (removed)
Source RPM Packages           telepathy-haze-0.4.0-3.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-5.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.38-1.fc15.x86_64 #1
                              SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64
Alert Count                   16
First Seen                    Fri 18 Mar 2011 07:14:01 PM EDT
Last Seen                     Tue 22 Mar 2011 07:02:38 PM EDT
Local ID                      c179560b-2b3d-4fc2-afba-1bb9a15cb11f

Raw Audit Messages
type=AVC msg=audit(1300834958.833:85): avc:  denied  { name_connect } for  pid=2069 comm="telepathy-haze" dest=4444 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1300834958.833:85): arch=x86_64 syscall=connect success=no exit=EACCES a0=7 a1=1961e30 a2=10 a3=1 items=0 ppid=1 pid=2069 auid=501 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=telepathy-haze exe=/usr/libexec/telepathy-haze subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null)

Hash: telepathy-haze,telepathy_msn_t,kerberos_master_port_t,tcp_socket,name_connect

audit2allow

#============= telepathy_msn_t ==============
allow telepathy_msn_t kerberos_master_port_t:tcp_socket name_connect;

audit2allow -R

#============= telepathy_msn_t ==============
allow telepathy_msn_t kerberos_master_port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2011-03-23 12:50:53 UTC 
Nalin and Simo should port 4444 be labeled as the kerberos_master_port as opposed to just the kerberos_port.  Currently the only confined app that can talk to port 4444 is winbind.  From the services definition it looks like clients that need to talk to a kerberos v4 service would need to talk to this port?

grep 4444/tcp /etc/services 
krb524          4444/tcp        nv-video        # Kerberos 5 to 4 ticket xlator
Comment 2 Nalin Dahyabhai 2011-03-23 14:26:30 UTC 
Clients that want to use v4 which have access to a v5 ticket can contact a 524 server to have it send them a v4 ticket.  It's a service that any KDC host could provide (or for that matter, any service with a keytab, for just the services for which it has keys).  If that's what kerberos_port is, then changing the label makes sense.
Comment 3 Daniel Walsh 2011-03-23 18:27:22 UTC 
semanage  port -l | grep kerberos
kerberos_admin_port_t          tcp      749
kerberos_master_port_t         tcp      4444
kerberos_master_port_t         udp      4444
kerberos_password_port_t       tcp      464
kerberos_password_port_t       udp      464
kerberos_port_t                tcp      88, 750
kerberos_port_t                udp      88, 750


This is our current break down.  I am suggesting we remove kerberos_master_port_t and move 4444 to kerberos_port_t.  I believe any app that needs to connect to port 88 or 750 also probably could connect to a port listening on 4444.
Comment 4 Nalin Dahyabhai 2011-03-23 19:00:43 UTC 
(In reply to comment #3)
>                                                          I believe any app
> that needs to connect to port 88 or 750 also probably could connect to a port
> listening on 4444.

Yes, I agree that's reasonable.
Comment 5 Daniel Walsh 2011-03-23 19:39:49 UTC 
Fixed in selinux-policy-3.9.16-7.fc15