| Summary: | SELinux is preventing /opt/Samsung/mfp/bin/netdiscovery from 'name_connect' accesses on the tcp_socket port 427. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | doctore |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | doctore, dominick.grift, dwalsh, mgrepl, szymon |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:e9c14c50a821c5975bc79e6416e73ed72cc195aa13612bebcabfa7247e22473a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-11-21 16:50:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
What is going on here? Why is colord connecting to the nework? What is /opt/Sambsubg/mfp/bin/netdiscovery doing? |
SELinux is preventing /opt/Samsung/mfp/bin/netdiscovery from 'name_connect' accesses on the tcp_socket port 427. ***** Plugin connect_ports (99.5 confidence) suggests ********************** If you want to allow /opt/Samsung/mfp/bin/netdiscovery to connect to network port 427 Then you need to modify the port type. Do # semanage port -a -t TYP_PORTU -p tcp 427, gdzie TYP_PORTU jest jednym z: ipp_port_t, dns_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If aby netdiscovery powinno mieć domyślnie name_connect dostęp do port 427 tcp_socket. Then proszę to zgłosić jako błąd. Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp. Do można tymczasowo zezwolić na ten dostęp wykonując polecenia: # grep netdiscovery /var/log/audit/audit.log | audit2allow -M moja_polityka # semodule -i moja_polityka.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:reserved_port_t:s0 Target Objects port 427 [ tcp_socket ] Source netdiscovery Source Path /opt/Samsung/mfp/bin/netdiscovery Port 427 Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.9.16-38.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.40.4-5.fc15.x86_64 #1 SMP Tue Aug 30 14:38:32 UTC 2011 x86_64 x86_64 Alert Count 12 First Seen wto, 30 sie 2011, 18:23:47 Last Seen wto, 27 wrz 2011, 21:56:32 Local ID 66984452-4495-4fb3-bc13-a2fd00568dd1 Raw Audit Messages type=AVC msg=audit(1317153392.544:36): avc: denied { name_connect } for pid=1194 comm="netdiscovery" dest=427 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1317153392.544:36): arch=i386 syscall=getuid per=400000 success=no exit=ECONNREFUSED a0=3 a1=fff08280 a2=fff082f0 a3=3 items=0 ppid=1192 pid=1194 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=netdiscovery exe=/opt/Samsung/mfp/bin/netdiscovery subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: netdiscovery,colord_t,reserved_port_t,tcp_socket,name_connect audit2allow #============= colord_t ============== allow colord_t reserved_port_t:tcp_socket name_connect; audit2allow -R #============= colord_t ============== allow colord_t reserved_port_t:tcp_socket name_connect;