Bug 873719

Summary: SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: bolgrom
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:a26503f8f131cd5136d08313640663eb6b8f8a37e19346490f01a6babb0c6263
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-11-07 21:25:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
File: type
none
File: hashmarkername none

Description bolgrom 2012-11-06 14:46:17 UTC 
Description of problem:
Google Talk Plugin
allow name_connect get access to tcp_socket


Additional info:
libreport version: 2.0.16
kernel:         3.6.3-1.fc17.x86_64
Comment 1 bolgrom 2012-11-06 14:46:20 UTC 
Created attachment 639401 [details]
File: type
Comment 2 bolgrom 2012-11-06 14:46:22 UTC 
Created attachment 639402 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-11-06 16:46:41 UTC 
*** Bug 873720 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2012-11-06 16:47:23 UTC 
Could you attach the AVC information.
Comment 5 bolgrom 2012-11-06 17:35:59 UTC 
Hello, thank you for dealing with this ticket.
Is this the information you need? I got it from the SELinux window:

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:openvpn_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        GoogleTalkPlugi
Source Path                   /opt/google/talkplugin/GoogleTalkPlugin
Port                          1194
Host                          localhost.localdomain
Source RPM Packages           google-talkplugin-3.9.1.0-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.3-1.fc17.x86_64 #1
                              SMP Mon Oct 22 15:32:35 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-11-05 20:01:37 CET
Last Seen                     2012-11-05 20:01:37 CET
Local ID                      bc1df1d0-4a24-42e3-af7b-b570cf165929

Raw Audit Messages
type=AVC msg=audit(1352142097.729:395): avc:  denied  { name_connect } for  pid=31242 comm="GoogleTalkPlugi" dest=1194 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openvpn_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1352142097.729:395): arch=x86_64 syscall=connect success=no exit=EACCES a0=3a a1=7f880bffcfb0 a2=10 a3=f0 items=0 ppid=1 pid=31242 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=GoogleTalkPlugi exe=/opt/google/talkplugin/GoogleTalkPlugin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: GoogleTalkPlugi,mozilla_plugin_t,openvpn_port_t,tcp_socket,name_connect

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t openvpn_port_t:tcp_socket name_connect;

audit2allow -R

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t openvpn_port_t:tcp_socket name_connect;
Comment 6 bolgrom 2012-11-06 17:37:36 UTC 
(In reply to comment #4)
> Could you attach the AVC information.

I hit "Reply" so that you could see that I posted a comment.
Comment 7 Daniel Walsh 2012-11-06 18:35:58 UTC 
Did GoolgeTalk work properly?  IE Other then this AVC showing up, did you notice anyproblems?
Comment 8 bolgrom 2012-11-06 19:42:10 UTC 
(In reply to comment #7)
> Did GoolgeTalk work properly?  IE Other then this AVC showing up, did you
> notice anyproblems?

Google Talk works properly, although sometimes there is no sound. In this case I go to chat settings and change sound settings from analog speakers to standard and back to analog speakers. and then it works. but it occurs only from time to time. and it doesn't work properly with empathy, only on the website.
Comment 9 Miroslav Grepl 2012-11-07 12:11:50 UTC 
Are you able to re-create this AVC?
Comment 10 bolgrom 2012-11-07 19:33:27 UTC 
(In reply to comment #9)
> Are you able to re-create this AVC?

Sorry I don't know how to do this.
Comment 11 Daniel Walsh 2012-11-07 20:17:51 UTC 
Can you get the error to happen again?
Comment 12 bolgrom 2012-11-07 20:43:30 UTC 
No, I tried videochat in GMail, Google+ and Empathy, but it didn't happen. Although the quality of video and sound in Empathy was worse and video went on and off.
But I couldn't make the bug happen again. Can it be because the kernel was updated?
Comment 13 Daniel Walsh 2012-11-07 21:25:07 UTC 
No most likely you went to a web site that triggered a connection to tcp port 1194.  I am going to close this and see if it happens again, to another user.  This port is usually used for vpns. So I am not anxious to open it up.