Bug 970789

Summary: SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Jake Jackson <jax6>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:e43ccb947bad824baf3a99281946234361adf535cb29f9397c5f79906ec21cab
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-07 08:50:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jake Jackson 2013-06-04 21:42:15 UTC 
Description of problem:
SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .

*****  Plugin connect_ports (52.5 confidence) suggests  **********************

If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 182
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 182
    where PORT_TYPE is one of the following: aol_port_t, asterisk_port_t, certmaster_port_t, cluster_port_t, commplex_port_t, couchdb_port_t, cyphesis_port_t, dns_port_t, ephemeral_port_t, flash_port_t, ftp_port_t, gatekeeper_port_t, hadoop_datanode_port_t, hplip_port_t, http_cache_port_t, http_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, jabber_client_port_t, jboss_management_port_t, kerberos_port_t, keystone_port_t, matahari_port_t, mmcc_port_t, monopd_port_t, msnp_port_t, ocsp_port_t, port_t, postgrey_port_t, pulseaudio_port_t, soundd_port_t, speech_port_t, squid_port_t, streaming_port_t, tor_socks_port_t, transproxy_port_t, unreserved_port_t, virt_migration_port_t, vnc_port_t.

*****  Plugin mozplugger (39.5 confidence) suggests  *************************

If you want to use the plugin package
Then you must turn off SELinux controls on the Firefox plugins.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (4.66 confidence) suggests  *******************

If you want to allow mozilla plugin domain to connect to the network using TCP.
Then you must tell SELinux about this by enabling the 'mozilla_plugin_can_network_connect' boolean.
You can read 'mozilla_selinux' man page for more details.
Do
setsebool -P mozilla_plugin_can_network_connect 1

*****  Plugin catchall_boolean (4.66 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'mozilla_selinux' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.02 confidence) suggests  ***************************

If you believe that totem-plugin-viewer should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep source:src /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        source:src
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          182
Host                          (removed)
Source RPM Packages           totem-mozplugin-3.6.3-2.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-97.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri
                              May 24 20:10:49 UTC 2013 x86_64 x86_64
Alert Count                   1
First Seen                    2013-06-04 23:41:35 CEST
Last Seen                     2013-06-04 23:41:35 CEST
Local ID                      901b8fa3-4aa5-48dc-873f-31ea9ff862f6

Raw Audit Messages
type=AVC msg=audit(1370382095.111:387): avc:  denied  { name_connect } for  pid=20902 comm="source:src" dest=182 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1370382095.111:387): arch=x86_64 syscall=connect success=no exit=EACCES a0=17 a1=7f62bd082540 a2=10 a3=3381e05f3a items=0 ppid=1 pid=20902 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect

audit2allow

#============= mozilla_plugin_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     mozilla_plugin_can_network_connect, nis_enabled

allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect;

audit2allow -R
require {
	type mozilla_plugin_t;
}

#============= mozilla_plugin_t ==============
corenet_tcp_connect_reserved_port(mozilla_plugin_t)


Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-200.fc18.x86_64
type:           libreport

Potential duplicate: bug 825417
Comment 1 Miroslav Grepl 2013-06-07 08:50:21 UTC 
You can allow it using

# setsebool -P  mozilla_plugin_can_network_connect 1