Bug 756334
| Summary: | SELinux is preventing colord from 'name_connect' accesses on the tcp_socket port 54396. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Slawomir Czarko <slawomir.czarko> |
| Component: | colord | Assignee: | Richard Hughes <hughsient> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 15 | CC: | dominick.grift, dwalsh, gspe, gunnar, hughsient, mgrepl, rhughes |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:c7ee083134cc2def4c963f68aca758785f005fef96d7d821cfbf0d173a044b3a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-08-07 20:20:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
*** Bug 756333 has been marked as a duplicate of this bug. *** Any idea why colord is using the network? *** Bug 756335 has been marked as a duplicate of this bug. *** *** Bug 756337 has been marked as a duplicate of this bug. *** (In reply to comment #2) > Any idea why colord is using the network? This started happening after I added a networked (wireless) printer/scanner (Epson Stylus SX425W). I get these alerts each time I log in. I added a new colord_can_network_connect boolean. Does colord actually need to connect to ephemeral ports? Nahh, colord uses SANE which is doing crazy stuff. I though nils fixed the sane driver that went out on the network even told only to scan local devices? (In reply to comment #8) > Nahh, colord uses SANE which is doing crazy stuff. I though nils fixed the sane > driver that went out on the network even told only to scan local devices? Not sure if it's relevant but in this particular case SANE is configured to look for the scanner on the network: cat /etc/sane.d/epkowa.conf net 192.168.1.122 Ok Slawormir then you will need to add a custom policy for this. Or dontaudit the access, since colord does not probably need this access. # grep colord_t /var/log/audit/audit.log | audit2allow -D -M mycolord # semodule -i mycolord.pp Custom policy I got:
module mycolord 1.0;
require {
type lib_t;
type colord_t;
type file_t;
type node_t;
type port_t;
class tcp_socket { name_connect listen accept node_bind };
class dir { read search };
class file execute_no_trans;
}
#============= colord_t ==============
dontaudit colord_t file_t:dir { read search };
dontaudit colord_t lib_t:file execute_no_trans;
dontaudit colord_t node_t:tcp_socket node_bind;
dontaudit colord_t port_t:tcp_socket name_connect;
dontaudit colord_t self:tcp_socket { accept listen };
Well some of these are old, and should be fixed. You should not have files labeled file_t on your system. Not sure what the lib_t is but I am not worked about it. THe other stuff is fine. So remove the lib_t and file_t lines and recompile # make -f /usr/share/selinux/devel/Makefile # semodule -i mycolord.pp After removing lib_t and file_t lines I get this:
SELinux is preventing /usr/lib/iscan/network from execute_no_trans access on the file /usr/lib/iscan/network.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that network should be allowed execute_no_trans access on the network file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep network /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib/iscan/network [ file ]
Source network
Source Path /usr/lib/iscan/network
Port <Unknown>
Host gaia.garous.net
Source RPM Packages iscan-network-nt-1.1.0-2
Target RPM Packages iscan-network-nt-1.1.0-2
Policy RPM selinux-policy-3.9.16-44.fc15
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name gaia.garous.net
Platform Linux gaia.garous.net 2.6.41.1-1.fc15.i686.PAE #1
SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686
Alert Count 1
First Seen Thu 01 Dec 2011 08:53:05 AM CET
Last Seen Thu 01 Dec 2011 08:53:05 AM CET
Local ID 95d8b43f-224e-4f70-b091-476be79f8b05
Raw Audit Messages
type=AVC msg=audit(1322725985.409:20): avc: denied { execute_no_trans } for pid=1315 comm="colord" path="/usr/lib/iscan/network" dev=dm-1 ino=547904 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1322725985.409:20): arch=i386 syscall=execve success=yes exit=0 a0=bf868644 a1=bf8675fc a2=bf869cdc a3=1 items=0 ppid=1302 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=network exe=/usr/lib/iscan/network subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: network,colord_t,lib_t,file,execute_no_trans
audit2allow
#============= colord_t ==============
allow colord_t lib_t:file execute_no_trans;
audit2allow -R
#============= colord_t ==============
allow colord_t lib_t:file execute_no_trans;
You need to change the label for /usr/lib/iscan/network # chcon -t bin_t /usr/lib/iscan/network Is this file executed only in this case of using? (In reply to comment #14) > You need to change the label for /usr/lib/iscan/network > > # chcon -t bin_t /usr/lib/iscan/network > > Is this file executed only in this case of using? That fixed it. Thanks. I'm not sure if /usr/lib/iscan/network is executed at any other point. So far I only saw the alerts when logging in. FWIW, I'm also seeing this on a fresh F16 install running in a VMware VM. I did not connect any network printers or scanners.
SELinux is preventing /usr/libexec/colord from name_connect access on the tcp_socket .
***** Plugin connect_ports (92.2 confidence) suggests **********************
If you want to allow /usr/libexec/colord to connect to network port 1865
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1865
where PORT_TYPE is one of the following: dns_port_t, ipp_port_t.
***** Plugin catchall_boolean (7.83 confidence) suggests *******************
If you want to allow colord domain to connect to the network using TCP.
Then you must tell SELinux about this by enabling the 'colord_can_network_connect'boolean.
Do
setsebool -P colord_can_network_connect 1
***** Plugin catchall (1.41 confidence) suggests ***************************
If you believe that colord should be allowed name_connect access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context system_u:object_r:unreserved_port_t:s0
Target Objects [ tcp_socket ]
Source colord
Source Path /usr/libexec/colord
Port 1865
Host (removed)
Source RPM Packages colord-0.1.15-2.fc16.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.2.7-1.fc16.x86_64 #1 SMP Tue
Feb 21 01:40:47 UTC 2012 x86_64 x86_64
Alert Count 1
First Seen Wed 07 Mar 2012 08:56:58 AM CET
Last Seen Wed 07 Mar 2012 08:56:58 AM CET
Local ID 45833c05-3a3b-4109-a491-5761243921d9
Raw Audit Messages
type=AVC msg=audit(1331107018.986:72): avc: denied { name_connect } for pid=1881 comm="colord" dest=1865 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1331107018.986:72): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffef6aaf20 a2=10 a3=7fffef6aacb0 items=0 ppid=1 pid=1881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)
Hash: colord,colord_t,unreserved_port_t,tcp_socket,name_connect
audit2allow
#============= colord_t ==============
#!!!! This avc can be allowed using the boolean 'colord_can_network_connect'
allow colord_t unreserved_port_t:tcp_socket name_connect;
audit2allow -R
#============= colord_t ==============
#!!!! This avc can be allowed using the boolean 'colord_can_network_connect'
allow colord_t unreserved_port_t:tcp_socket name_connect;
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping |
SELinux is preventing colord from 'name_connect' accesses on the tcp_socket port 54396. ***** Plugin connect_ports (99.5 confidence) suggests ********************** If you want to allow colord to connect to network port 54396 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 54396 where PORT_TYPE is one of the following: ipp_port_t, dns_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that colord should be allowed name_connect access on the port 54396 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep colord /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:colord_t:s0-s0:c0.c1023 Target Context system_u:object_r:port_t:s0 Target Objects port 54396 [ tcp_socket ] Source colord Source Path colord Port 54396 Host (removed) Source RPM Packages colord-0.1.7-1.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-44.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.41.1-1.fc15.i686.PAE #1 SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686 Alert Count 2 First Seen Wed 23 Nov 2011 10:44:23 AM CET Last Seen Wed 23 Nov 2011 10:47:58 AM CET Local ID bdd86bcc-45b4-4b59-aa15-51b01eb8efdf Raw Audit Messages type=AVC msg=audit(1322041678.109:25): avc: denied { name_connect } for pid=1326 comm="colord" dest=54396 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1322041678.109:25): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff89d40 a2=5dbddc a3=0 items=0 ppid=1 pid=1326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null) Hash: colord,colord_t,port_t,tcp_socket,name_connect audit2allow #============= colord_t ============== allow colord_t port_t:tcp_socket name_connect; audit2allow -R #============= colord_t ============== allow colord_t port_t:tcp_socket name_connect;