RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1255627 - Typo in suggested semanage command
Summary: Typo in suggested semanage command
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: setroubleshoot-plugins
Version: 7.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Vit Mojzis
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-21 08:25 UTC by Alexander Todorov
Modified: 2018-10-30 09:47 UTC (History)
6 users (show)

Fixed In Version: setroubleshoot-plugins-3.0.67-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-30 09:47:43 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3101 0 None None None 2018-10-30 09:47:55 UTC

Description Alexander Todorov 2015-08-21 08:25:09 UTC 
Description of problem:

I got this hint after detected SELinux denial:


*****  Plugin bind_ports (50.5 confidence) suggests   ************************

If you want to allow /usr/lib64/firefox/plugin-container to bind to network port 5382
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 5382



The places of "-p" and "udp" need to be swapped.


Version-Release number of selected component (if applicable):
setroubleshoot-3.2.17-4.1.el7_1.x86_64

How reproducible:
Probably always

Steps to Reproduce:
1. Install bjnplugin_2.100.102.8-1.x86_64.rpm from 
from https://swdl.bluejeans.com/repos/bluejeans/x86_64/release/rpm
2. The GUI SELinux trouble shooter detects a problem. 
3. After clicking the UI to see what's wrong the above proposal is suggested

Actual results:
typo in suggested semanage command

Expected results:


Additional info:
I have my desktop localized in Bulgarian, but I believe these commands are not translated so this probably affects all languages.
Comment 1 Milos Malik 2015-08-24 10:27:04 UTC 
It seems that a SELinux type name was not provided by the setroubleshoot plugin:

# semanage port -a -t  -p udp 5382
Comment 2 Miroslav Grepl 2015-08-25 16:43:41 UTC 
Could you attach AVC denial?

Thank you.
Comment 3 Alexander Todorov 2015-08-26 08:02:20 UTC 
Here's everything the setroubleshoot tool gives me. You can find the avc denial at the bottom


SELinux is preventing /usr/lib64/firefox/plugin-container from name_bind access on the udp_socket port 5190.

*****  Plugin mozplugger (82.0 confidence) suggests   ************************

If you want to use the plugin package
Then вие трябва да изключите SELinux контрола върху Firefox плъгини.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin bind unreserved ports
Then you must tell SELinux about this by enabling the 'mozilla_plugin_bind_unreserved_ports' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_bind_unreserved_ports 1

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin use bluejeans
Then you must tell SELinux about this by enabling the 'mozilla_plugin_use_bluejeans' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_use_bluejeans 1

*****  Plugin catchall (1.58 confidence) suggests   **************************

If вярвате, че на plugin-container, по подразбиране,  трябва да е позволен достъп name_bind върху port 5190 udp_socket.
Then вие ще трябва да докладвате този бъг.
Можете да генерирате модул с локална политика за да позволите този достъп.
Do
позволете този достъп засега като изпълните:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:aol_port_t:s0
Target Objects                port 5190 [ udp_socket ]
Source                        plugin-containe
Source Path                   /usr/lib64/firefox/plugin-container
Port                          5190
Host                          aero
Source RPM Packages           firefox-38.2.0-4.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     aero
Platform                      Linux aero 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed
                              Jul 22 12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-08-21 11:16:12 EEST
Last Seen                     2015-08-21 11:16:12 EEST
Local ID                      3cfa5239-d77b-4e28-8346-765f52d35c30

Raw Audit Messages
type=AVC msg=audit(1440144972.253:2182): avc:  denied  { name_bind } for  pid=20404 comm="plugin-containe" src=5190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:aol_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1440144972.253:2182): arch=x86_64 syscall=bind success=no exit=EACCES a0=26 a1=7f4b5a0fae60 a2=10 a3=1 items=0 ppid=4379 pid=20404 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,aol_port_t,udp_socket,name_bind
Comment 6 Vit Mojzis 2018-03-14 11:33:30 UTC 
https://github.com/fedora-selinux/setroubleshoot/pull/69/commits/7543dc9d553a615fdef7a8af97b72d19c0bc3609
Comment 10 errata-xmlrpc 2018-10-30 09:47:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3101
Note You need to log in before you can comment on or make changes to this bug.