Bug 1255627 - Typo in suggested semanage command
Typo in suggested semanage command
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: setroubleshoot-plugins (Show other bugs)
7.3
All Linux
low Severity low
: rc
: ---
Assigned To: Vit Mojzis
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-21 04:25 EDT by Alexander Todorov
Modified: 2018-05-16 06:47 EDT (History)
6 users (show)

See Also:
Fixed In Version: setroubleshoot-plugins-3.0.67-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alexander Todorov 2015-08-21 04:25:09 EDT
Description of problem:

I got this hint after detected SELinux denial:


*****  Plugin bind_ports (50.5 confidence) suggests   ************************

If you want to allow /usr/lib64/firefox/plugin-container to bind to network port 5382
Then you need to modify the port type.
Do
# semanage port -a -t  -p udp 5382



The places of "-p" and "udp" need to be swapped.


Version-Release number of selected component (if applicable):
setroubleshoot-3.2.17-4.1.el7_1.x86_64

How reproducible:
Probably always

Steps to Reproduce:
1. Install bjnplugin_2.100.102.8-1.x86_64.rpm from 
from https://swdl.bluejeans.com/repos/bluejeans/x86_64/release/rpm
2. The GUI SELinux trouble shooter detects a problem. 
3. After clicking the UI to see what's wrong the above proposal is suggested

Actual results:
typo in suggested semanage command

Expected results:


Additional info:
I have my desktop localized in Bulgarian, but I believe these commands are not translated so this probably affects all languages.
Comment 1 Milos Malik 2015-08-24 06:27:04 EDT
It seems that a SELinux type name was not provided by the setroubleshoot plugin:

# semanage port -a -t  -p udp 5382
Comment 2 Miroslav Grepl 2015-08-25 12:43:41 EDT
Could you attach AVC denial?

Thank you.
Comment 3 Alexander Todorov 2015-08-26 04:02:20 EDT
Here's everything the setroubleshoot tool gives me. You can find the avc denial at the bottom


SELinux is preventing /usr/lib64/firefox/plugin-container from name_bind access on the udp_socket port 5190.

*****  Plugin mozplugger (82.0 confidence) suggests   ************************

If you want to use the plugin package
Then вие трябва да изключите SELinux контрола върху Firefox плъгини.
Do
# setsebool -P unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin bind unreserved ports
Then you must tell SELinux about this by enabling the 'mozilla_plugin_bind_unreserved_ports' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_bind_unreserved_ports 1

*****  Plugin catchall_boolean (9.19 confidence) suggests   ******************

If искате да allow mozilla to plugin use bluejeans
Then you must tell SELinux about this by enabling the 'mozilla_plugin_use_bluejeans' boolean.
Може да прочетете man 'None' за повече информация.
Do
setsebool -P mozilla_plugin_use_bluejeans 1

*****  Plugin catchall (1.58 confidence) suggests   **************************

If вярвате, че на plugin-container, по подразбиране,  трябва да е позволен достъп name_bind върху port 5190 udp_socket.
Then вие ще трябва да докладвате този бъг.
Можете да генерирате модул с локална политика за да позволите този достъп.
Do
позволете този достъп засега като изпълните:
# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:aol_port_t:s0
Target Objects                port 5190 [ udp_socket ]
Source                        plugin-containe
Source Path                   /usr/lib64/firefox/plugin-container
Port                          5190
Host                          aero
Source RPM Packages           firefox-38.2.0-4.el7_1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-23.el7_1.13.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     aero
Platform                      Linux aero 3.10.0-229.11.1.el7.x86_64 #1 SMP Wed
                              Jul 22 12:06:11 EDT 2015 x86_64 x86_64
Alert Count                   3
First Seen                    2015-08-21 11:16:12 EEST
Last Seen                     2015-08-21 11:16:12 EEST
Local ID                      3cfa5239-d77b-4e28-8346-765f52d35c30

Raw Audit Messages
type=AVC msg=audit(1440144972.253:2182): avc:  denied  { name_bind } for  pid=20404 comm="plugin-containe" src=5190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:aol_port_t:s0 tclass=udp_socket


type=SYSCALL msg=audit(1440144972.253:2182): arch=x86_64 syscall=bind success=no exit=EACCES a0=26 a1=7f4b5a0fae60 a2=10 a3=1 items=0 ppid=4379 pid=20404 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=plugin-containe exe=/usr/lib64/firefox/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: plugin-containe,mozilla_plugin_t,aol_port_t,udp_socket,name_bind

Note You need to log in before you can comment on or make changes to this bug.