| Summary: | SELinux is preventing /usr/bin/python from 'name_bind' accesses on the tcp_socket port 5298. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Matěj Cepl <mcepl> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 15 | CC: | dwalsh, mcepl, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:f7465784e84e5b4404c4e57cdc18e4ca43f6fe91fae9f8355931ea5580784f82 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-31 11:22:15 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Matej, turn on the boolean. |
SELinux is preventing /usr/bin/python from 'name_bind' accesses on the tcp_socket port 5298. This is gajim running as staff_u and trying to work as XMPP Link-Local (i.e., Jabber over Avahi/Bonjour working in LAN without a special Jabber server). ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow users to run TCP servers (bind to ports and accept connection from the same domain and outside users) disabling this forces FTP passive mode and may change other protocols. Then you must tell SELinux about this by enabling the 'user_tcp_server' boolean. Do setsebool -P user_tcp_server 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that python should be allowed name_bind access on the port 5298 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep gajim /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context staff_u:staff_r:staff_t:s0-s0:c0.c1023 Target Context system_u:object_r:presence_port_t:s0 Target Objects port 5298 [ tcp_socket ] Source gajim Source Path /usr/bin/python Port 5298 Host (removed) Source RPM Packages python-2.7.1-6.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-6.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 2.6.38.2-8.fc15.x86_64 #1 SMP Mon Mar 28 02:14:51 UTC 2011 x86_64 x86_64 Alert Count 4 First Seen Út 29. březen 2011, 14:27:11 CEST Last Seen Út 29. březen 2011, 20:18:11 CEST Local ID 5f5d3b07-3223-485b-a191-d48e35da02ca Raw Audit Messages type=AVC msg=audit(1301422691.770:236): avc: denied { name_bind } for pid=13798 comm="gajim" src=5298 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:presence_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1301422691.770:236): arch=x86_64 syscall=bind success=yes exit=0 a0=26 a1=7fff8c94d100 a2=10 a3=7fce4ca79891 items=0 ppid=13797 pid=13798 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=3 comm=gajim exe=/usr/bin/python subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) Hash: gajim,staff_t,presence_port_t,tcp_socket,name_bind audit2allow #============= staff_t ============== #!!!! This avc can be allowed using the boolean 'user_tcp_server' allow staff_t presence_port_t:tcp_socket name_bind; audit2allow -R #============= staff_t ============== #!!!! This avc can be allowed using the boolean 'user_tcp_server' allow staff_t presence_port_t:tcp_socket name_bind;