| Summary: | SELinux is preventing /usr/libexec/colord from 'name_bind' accesses on the udp_socket port 5353. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kyle Martin <martikj2> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | bljames81, dwalsh, mgrepl, paul.girault, rhughes |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:a211c2e50d503f37c9bb3b9d672fb44259af7d6ccdfeb78d347f6bdc5425a2c4 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-10-07 14:14:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Any idea why is colord using this port? 5353/udp colord really shouldn't be using any TCP or UDP ports. Can you get some more information on what it's doing on port 5353 please. The only thing I can think of is for the SANE support (libsane is, pretty much insane) although we've explicitly turned off remote scanner support. Thanks. Kyle are you using NIS? Richard is colord calling getpw* calls, to resolve UID names? Hello: I'm running Fedora 15 (64). I had already done the fix offered in SELinux. Then I reported the bug and ended here... After some research at http://xsane.org/xsane-download-binary.html I tried installing a rpm from http://www.bennewitz.com/rpms/ [root@localhost ~]# yum install '/home/lamerman/Téléchargements/endurs_repo_i686-release-1.0-9.noarch.rpm' Modules complémentaires chargés : langpacks, presto, refresh-packagekit endurs_repo | 2.9 kB 00:00 endurs_repo/primary_db | 16 kB 00:00 Configuration du processus d'installation Erreur : Rien à faire [root@localhost ~]# It's a "no-go" ? LamerMan please open a separate bug. I don't think your problem is related to this. Thanks. I was redirected here from SELinux onwards ? Anyway, the fix from SELinux seems to have worked, and after removing and re-installing skype properly, my problem seems to be solved. Just another chair-keyboard interface bug, I guess ;-) So, problem solved. |
SELinux is preventing /usr/libexec/colord from 'name_bind' accesses on the udp_socket port 5353. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that colord should be allowed name_bind access on the port 5353 udp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:howl_port_t:s0 Target Objects port 5353 [ udp_socket ] Source colord Source Path /usr/libexec/colord Port 5353 Host (removed) Source RPM Packages colord-0.1.1-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-21.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38.4-20.fc15.i686.PAE #1 SMP Thu Apr 28 23:39:32 UTC 2011 i686 i686 Alert Count 1 First Seen Thu 12 May 2011 12:44:50 AM CDT Last Seen Thu 12 May 2011 12:44:50 AM CDT Local ID d9371e5d-6b70-4e9e-8072-5bb5346aa23c Raw Audit Messages type=AVC msg=audit(1305179090.307:686): avc: denied { name_bind } for pid=28451 comm="colord" src=5353 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:howl_port_t:s0 tclass=udp_socket type=SYSCALL msg=audit(1305179090.307:686): arch=i386 syscall=socketcall success=yes exit=0 a0=2 a1=bfbae5d0 a2=c06c68 a3=b77a4aa0 items=0 ppid=1 pid=28451 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,howl_port_t,udp_socket,name_bind audit2allow #============= colord_t ============== allow colord_t howl_port_t:udp_socket name_bind; audit2allow -R #============= colord_t ============== allow colord_t howl_port_t:udp_socket name_bind;