Bug 841985

Summary: SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Michael S. <misc>
Component: setroubleshoot-pluginsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, jdennis, mgrepl, paulo.fidalgo.pt
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e1a3b68a511ca213f34827b7cb1fb4c631dd0e8aa60bda4392d6a1feb547fdc2
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-14 11:07:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael S. 2012-07-20 19:04:33 UTC 
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.5-2.fc17.x86_64
time:           ven. 20 juil. 2012 21:02:12 CEST

description:
:SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to allow polipo to connect to all ports > 1023
:Then you must tell SELinux about this by enabling the 'polipo_connect_all_unreserved' boolean.You can read 'tor_selinux' man page for more details.
:Do
:setsebool -P polipo_connect_all_unreserved 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that polipo should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep polipo /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:polipo_t:s0
:Target Context                system_u:object_r:tor_socks_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        polipo
:Source Path                   /usr/bin/polipo
:Port                          9050
:Host                          (removed)
:Source RPM Packages           polipo-1.0.4.1-7.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-140.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.5-2.fc17.x86_64
:                              #1 SMP Mon Jul 16 20:52:08 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    ven. 20 juil. 2012 21:01:07 CEST
:Last Seen                     ven. 20 juil. 2012 21:01:07 CEST
:Local ID                      b66d665a-12a9-468b-8b99-8ee6f2655b2a
:
:Raw Audit Messages
:type=AVC msg=audit(1342810867.420:158): avc:  denied  { name_connect } for  pid=5175 comm="polipo" dest=9050 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:tor_socks_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1342810867.420:158): arch=x86_64 syscall=connect success=no exit=EACCES a0=2 a1=7fff9ed7d000 a2=10 a3=7fff9ed7cd90 items=0 ppid=1 pid=5175 auid=4294967295 uid=104 gid=487 euid=104 suid=104 fsuid=104 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null)
:
:Hash: polipo,polipo_t,tor_socks_port_t,tcp_socket,name_connect
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-07-20 21:23:48 UTC 
Is this a default setup?  Should polipo be allowed to connect to port 9050 out of the box, or is this a locak customization.

Looks like there is a boolean to allow this access..

setsebool -P polipo_connect_all_unreserved 1
Comment 2 Michael S. 2012-07-20 23:56:54 UTC 
That's not the default setup, I have added the part to connect to socks in polipo config ( following the man pages, but all result of "tor polipo" on the web give the same instruction like this one https://wiki.archlinux.org/index.php/Polipo#Tor ). 

For tor, that's the default setup And that's the default port of tor ( despites what tor_selinux say about it being another one ). 


I didn't see the message about man tor_selinux in the assistant ( shame on me, I directly read the AVC :/ ), but this seems incorrect ( ie, that should be polipo_selinux, not tor_selinux ).

I do not know if my usage is common enough to warrant poking a hole in selinux policy, but i think letting polipo_t open a socket to tor_socks_port_t would not cause lots of problem. Probability that someone run tor in the default configuration and run polipo at the same time and not wanting them to communicate is pretty low, IMHO.
Comment 3 Daniel Walsh 2012-07-23 14:35:40 UTC 
Turn on the boolean and I will fix the man page.
Comment 4 Miroslav Grepl 2012-07-24 10:56:14 UTC 
It loosk more as setroubleshoot-plugins bug.
Comment 6 Miroslav Grepl 2013-01-14 11:07:25 UTC 
I believe it has been fixed in F17.
Comment 7 Paulo Fidalgo 2013-03-30 21:04:43 UTC 
I still see this error message in F18.
Comment 8 Daniel Walsh 2013-04-01 13:26:39 UTC 
Paulo please attach your avc messages.
Comment 9 Paulo Fidalgo 2013-07-24 16:07:56 UTC 
I've switched to privoxy and installed polipo again, and can't see this error anymore.