This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours

Bug 756334

Summary: SELinux is preventing colord from 'name_connect' accesses on the tcp_socket port 54396.
Product: [Fedora] Fedora Reporter: Slawomir Czarko <slawomir.czarko>
Component: colordAssignee: Richard Hughes <hughsient>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, gspe, gunnar, hughsient, mgrepl, rhughes
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:c7ee083134cc2def4c963f68aca758785f005fef96d7d821cfbf0d173a044b3a
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 16:20:16 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Slawomir Czarko 2011-11-23 05:32:55 EST
SELinux is preventing colord from 'name_connect' accesses on the tcp_socket port 54396.

*****  Plugin connect_ports (99.5 confidence) suggests  **********************

If you want to allow colord to connect to network port 54396
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 54396
    where PORT_TYPE is one of the following: ipp_port_t, dns_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that colord should be allowed name_connect access on the port 54396 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                port 54396 [ tcp_socket ]
Source                        colord
Source Path                   colord
Port                          54396
Host                          (removed)
Source RPM Packages           colord-0.1.7-1.fc15
Target RPM Packages           
Policy RPM                    selinux-policy-3.9.16-44.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 2.6.41.1-1.fc15.i686.PAE #1
                              SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686
Alert Count                   2
First Seen                    Wed 23 Nov 2011 10:44:23 AM CET
Last Seen                     Wed 23 Nov 2011 10:47:58 AM CET
Local ID                      bdd86bcc-45b4-4b59-aa15-51b01eb8efdf

Raw Audit Messages
type=AVC msg=audit(1322041678.109:25): avc:  denied  { name_connect } for  pid=1326 comm="colord" dest=54396 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1322041678.109:25): arch=i386 syscall=socketcall success=yes exit=0 a0=3 a1=bff89d40 a2=5dbddc a3=0 items=0 ppid=1 pid=1326 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,port_t,tcp_socket,name_connect

audit2allow

#============= colord_t ==============
allow colord_t port_t:tcp_socket name_connect;

audit2allow -R

#============= colord_t ==============
allow colord_t port_t:tcp_socket name_connect;
Comment 1 Daniel Walsh 2011-11-23 12:03:36 EST
*** Bug 756333 has been marked as a duplicate of this bug. ***
Comment 2 Daniel Walsh 2011-11-23 12:04:22 EST
Any idea why colord is using the network?
Comment 3 Daniel Walsh 2011-11-23 12:05:15 EST
*** Bug 756335 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2011-11-23 12:07:49 EST
*** Bug 756337 has been marked as a duplicate of this bug. ***
Comment 5 Slawomir Czarko 2011-11-24 03:35:54 EST
(In reply to comment #2)
> Any idea why colord is using the network?

This started happening after I added a networked (wireless) printer/scanner (Epson Stylus SX425W). I get these alerts each time I log in.
Comment 6 Miroslav Grepl 2011-11-24 04:19:08 EST
I added a new colord_can_network_connect boolean.
Comment 7 Daniel Walsh 2011-11-28 21:14:17 EST
Does colord actually need to connect to ephemeral ports?
Comment 8 Richard Hughes 2011-11-29 05:57:06 EST
Nahh, colord uses SANE which is doing crazy stuff. I though nils fixed the sane driver that went out on the network even told only to scan local devices?
Comment 9 Slawomir Czarko 2011-11-29 06:21:47 EST
(In reply to comment #8)
> Nahh, colord uses SANE which is doing crazy stuff. I though nils fixed the sane
> driver that went out on the network even told only to scan local devices?

Not sure if it's relevant but in this particular case SANE is configured to look for the scanner on the network:

cat /etc/sane.d/epkowa.conf 

net 192.168.1.122
Comment 10 Daniel Walsh 2011-11-29 16:02:47 EST
Ok Slawormir then you will need to add a custom policy for this.  Or dontaudit the access, since colord does not probably need this access.

# grep colord_t /var/log/audit/audit.log | audit2allow -D -M mycolord
# semodule -i mycolord.pp
Comment 11 Slawomir Czarko 2011-11-30 05:38:55 EST
Custom policy I got:

module mycolord 1.0;

require {
	type lib_t;
	type colord_t;
	type file_t;
	type node_t;
	type port_t;
	class tcp_socket { name_connect listen accept node_bind };
	class dir { read search };
	class file execute_no_trans;
}

#============= colord_t ==============
dontaudit colord_t file_t:dir { read search };
dontaudit colord_t lib_t:file execute_no_trans;
dontaudit colord_t node_t:tcp_socket node_bind;
dontaudit colord_t port_t:tcp_socket name_connect;
dontaudit colord_t self:tcp_socket { accept listen };
Comment 12 Daniel Walsh 2011-11-30 12:39:17 EST
Well some of these are old, and should be fixed.  You should not have files  labeled file_t on your system.  Not sure what the lib_t is but I am not worked about it.  THe other stuff is fine.

So remove the lib_t and file_t lines and recompile

# make -f /usr/share/selinux/devel/Makefile
# semodule -i mycolord.pp
Comment 13 Slawomir Czarko 2011-12-01 02:57:47 EST
After removing lib_t and file_t lines I get this:

SELinux is preventing /usr/lib/iscan/network from execute_no_trans access on the file /usr/lib/iscan/network.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that network should be allowed execute_no_trans access on the network file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep network /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/iscan/network [ file ]
Source                        network
Source Path                   /usr/lib/iscan/network
Port                          <Unknown>
Host                          gaia.garous.net
Source RPM Packages           iscan-network-nt-1.1.0-2
Target RPM Packages           iscan-network-nt-1.1.0-2
Policy RPM                    selinux-policy-3.9.16-44.fc15
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     gaia.garous.net
Platform                      Linux gaia.garous.net 2.6.41.1-1.fc15.i686.PAE #1
                              SMP Fri Nov 11 21:43:42 UTC 2011 i686 i686
Alert Count                   1
First Seen                    Thu 01 Dec 2011 08:53:05 AM CET
Last Seen                     Thu 01 Dec 2011 08:53:05 AM CET
Local ID                      95d8b43f-224e-4f70-b091-476be79f8b05

Raw Audit Messages
type=AVC msg=audit(1322725985.409:20): avc:  denied  { execute_no_trans } for  pid=1315 comm="colord" path="/usr/lib/iscan/network" dev=dm-1 ino=547904 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file


type=SYSCALL msg=audit(1322725985.409:20): arch=i386 syscall=execve success=yes exit=0 a0=bf868644 a1=bf8675fc a2=bf869cdc a3=1 items=0 ppid=1302 pid=1315 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=network exe=/usr/lib/iscan/network subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: network,colord_t,lib_t,file,execute_no_trans

audit2allow

#============= colord_t ==============
allow colord_t lib_t:file execute_no_trans;

audit2allow -R

#============= colord_t ==============
allow colord_t lib_t:file execute_no_trans;
Comment 14 Miroslav Grepl 2011-12-01 03:35:38 EST
You need to change the label for /usr/lib/iscan/network

# chcon -t bin_t /usr/lib/iscan/network

Is this file executed only in this case of using?
Comment 15 Slawomir Czarko 2011-12-01 03:46:06 EST
(In reply to comment #14)
> You need to change the label for /usr/lib/iscan/network
> 
> # chcon -t bin_t /usr/lib/iscan/network
> 
> Is this file executed only in this case of using?

That fixed it. Thanks. I'm not sure if /usr/lib/iscan/network is executed at any other point. So far I only saw the alerts when logging in.
Comment 16 Gunnar Wagenknecht 2012-03-07 03:13:48 EST
FWIW, I'm also seeing this on a fresh F16 install running in a VMware VM. I did not connect any network printers or scanners.

SELinux is preventing /usr/libexec/colord from name_connect access on the tcp_socket .

*****  Plugin connect_ports (92.2 confidence) suggests  **********************

If you want to allow /usr/libexec/colord to connect to network port 1865
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 1865
    where PORT_TYPE is one of the following: dns_port_t, ipp_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests  *******************

If you want to allow colord domain to connect to the network using TCP.
Then you must tell SELinux about this by enabling the 'colord_can_network_connect'boolean.
Do
setsebool -P colord_can_network_connect 1

*****  Plugin catchall (1.41 confidence) suggests  ***************************

If you believe that colord should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep colord /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:colord_t:s0-s0:c0.c1023
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        colord
Source Path                   /usr/libexec/colord
Port                          1865
Host                          (removed)
Source RPM Packages           colord-0.1.15-2.fc16.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-75.fc16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.2.7-1.fc16.x86_64 #1 SMP Tue
                              Feb 21 01:40:47 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 07 Mar 2012 08:56:58 AM CET
Last Seen                     Wed 07 Mar 2012 08:56:58 AM CET
Local ID                      45833c05-3a3b-4109-a491-5761243921d9

Raw Audit Messages
type=AVC msg=audit(1331107018.986:72): avc:  denied  { name_connect } for  pid=1881 comm="colord" dest=1865 scontext=system_u:system_r:colord_t:s0-s0:c0.c1023 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1331107018.986:72): arch=x86_64 syscall=connect success=no exit=EACCES a0=11 a1=7fffef6aaf20 a2=10 a3=7fffef6aacb0 items=0 ppid=1 pid=1881 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=colord exe=/usr/libexec/colord subj=system_u:system_r:colord_t:s0-s0:c0.c1023 key=(null)

Hash: colord,colord_t,unreserved_port_t,tcp_socket,name_connect

audit2allow

#============= colord_t ==============
#!!!! This avc can be allowed using the boolean 'colord_can_network_connect'

allow colord_t unreserved_port_t:tcp_socket name_connect;

audit2allow -R

#============= colord_t ==============
#!!!! This avc can be allowed using the boolean 'colord_can_network_connect'

allow colord_t unreserved_port_t:tcp_socket name_connect;
Comment 17 Fedora End Of Life 2012-08-07 16:20:20 EDT
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping