Bug 1003236 - SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
18
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
abrt_hash:e1a3b68a511ca213f34827b7cb1...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-09-01 04:23 EDT by vikram goyal
Modified: 2013-09-22 20:43 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.11.1-103.fc18
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-22 20:43:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description vikram goyal 2013-09-01 04:23:02 EDT
Description of problem:
Hi,

I configured Privoxy -> Polipo -> TOR on my system.

Polipo needs to resolve hostnames etc & for that it needs these permissions by default.

SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow polipo to connect to all ports > 1023
Then you must tell SELinux about this by enabling the 'polipo_connect_all_unreserved' boolean.
You can read 'tor_selinux' man page for more details.
Do
setsebool -P polipo_connect_all_unreserved 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that polipo should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep polipo /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:polipo_t:s0
Target Context                system_u:object_r:tor_socks_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        polipo
Source Path                   /usr/bin/polipo
Port                          9050
Host                          (removed)
Source RPM Packages           polipo-1.0.4.1-9.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-100.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-100.fc18.i686 #1 SMP Wed
                              Aug 21 18:49:36 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-09-01 13:48:44 IST
Last Seen                     2013-09-01 13:48:44 IST
Local ID                      cb614b43-970f-4f15-bc4b-c789b2362564

Raw Audit Messages
type=AVC msg=audit(1378023524.267:502): avc:  denied  { name_connect } for  pid=19750 comm="polipo" dest=9050 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:tor_socks_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1378023524.267:502): arch=i386 syscall=socketcall success=no exit=EINPROGRESS a0=3 a1=bff28c10 a2=976aa50 a3=97697e8 items=0 ppid=1 pid=19750 auid=4294967295 uid=986 gid=984 euid=986 suid=986 fsuid=986 egid=984 sgid=984 fsgid=984 ses=4294967295 tty=(none) comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null)

Hash: polipo,polipo_t,tor_socks_port_t,tcp_socket,name_connect

audit2allow

#============= polipo_t ==============
#!!!! This avc can be allowed using the boolean 'polipo_connect_all_unreserved'

allow polipo_t tor_socks_port_t:tcp_socket name_connect;

audit2allow -R
require {
	type polipo_t;
}

#============= polipo_t ==============
corenet_tcp_connect_tor_socks_port(polipo_t)


Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-100.fc18.i686
type:           libreport

Potential duplicate: bug 841985
Comment 1 Lukas Vrabec 2013-09-02 06:52:11 EDT
Hi Vikram, 

You could turn on Boolean, while we close this bug.

setsebool -P polipo_connect_all_unreserved 1
Comment 2 vikram goyal 2013-09-02 11:26:27 EDT
Hello,

I did that but there also was a suggestion to create a local policy, which I did  & loaded it judiciously:) The local policy thus generated is as under. Posting it below for your reference.

Also, I was wondering if, isn't it better that polipo should be restricted to DNS port only rather than all ports below 1023. Just an inquisitiveness, I'm not an expert though. Thanks.


[root@vikram ~]# cat /etc/polipo/mypol.te 

module mypol 1.0;

require {
        type net_conf_t;
        type chrome_sandbox_t;
        type tor_socks_port_t;
        type user_home_dir_t;
        type ladvd_t;
        type sysfs_t;
        type var_lock_t;
        type bin_t;
        type apcupsd_t;
        type sysctl_net_t;
        type polipo_t;
        type var_run_t;
        class process { signal setcap };
        class capability { net_admin setpcap };
        class tcp_socket name_connect;
        class file { read create open execute };
        class sock_file create;
        class udp_socket connect;
}

#============= apcupsd_t ==============
allow apcupsd_t var_lock_t:file read;

#============= chrome_sandbox_t ==============
allow chrome_sandbox_t user_home_dir_t:file create;

#============= ladvd_t ==============
allow ladvd_t bin_t:file execute;
allow ladvd_t net_conf_t:file open;
allow ladvd_t self:capability { net_admin setpcap };
allow ladvd_t self:process { signal setcap };
allow ladvd_t self:udp_socket connect;
allow ladvd_t sysctl_net_t:file open;
allow ladvd_t sysfs_t:file open;
allow ladvd_t var_run_t:sock_file create;

#============= polipo_t ==============
#!!!! This avc is allowed in the current policy

allow polipo_t tor_socks_port_t:tcp_socket name_connect;
Comment 3 Lukas Vrabec 2013-09-02 14:21:16 EDT
Thank you Vikram for your help but we have found solution how fix this bug. :)
Comment 5 Fedora Update System 2013-09-10 07:16:23 EDT
selinux-policy-3.11.1-103.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-103.fc18
Comment 6 Fedora Update System 2013-09-10 21:57:02 EDT
Package selinux-policy-3.11.1-103.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-103.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-16344/selinux-policy-3.11.1-103.fc18
then log in and leave karma (feedback).
Comment 7 Fedora Update System 2013-09-22 20:43:05 EDT
selinux-policy-3.11.1-103.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.