Bug 1285425 - SELinux is preventing /usr/bin/perl from name_connect
SELinux is preventing /usr/bin/perl from name_connect
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Vit Mojzis
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-25 09:55 EST by dan
Modified: 2016-05-10 13:57 EDT (History)
6 users (show)

See Also:
Fixed In Version: selinux-policy-3.13.1-128.23.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-05-10 13:57:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description dan 2015-11-25 09:55:31 EST
Description of problem:

/usr/bin/perl is being denied name_connect on unreserved tcp sockets.

How reproducible:

Always reproduceable.

Steps to Reproduce:

Using the ClamAV.pm perl module called by spamassasin, any attempt to scan a message triggers this error.  Setting the spamd process domain to permissive allows the connect to proceed.

xref bug #1248785
Comment 2 Vit Mojzis 2015-11-26 02:47:15 EST
Since you are using custom configuration, could you please provide related AVC's in permissive mode?

#setenforce 0
<reproduce the issue>
#ausearch -m avc -ts recent
<or /var/log/audit/audit.log>
#setenforce 1
Comment 3 dan 2015-11-26 11:57:24 EST
Updated to properly show that it is /usr/bin/perl being denied the name_connect.
Comment 4 dan 2015-11-26 12:03:14 EST
Here is an example:

Raw Audit Messages
type=AVC msg=audit(1448557215.888:6073): avc:  denied  { name_connect } for  pid=3498 comm=7370616D64206368696C64 dest=1948 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1


type=SYSCALL msg=audit(1448557215.888:6073): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=b a1=6650150 a2=10 a3=f50 items=0 ppid=18216 pid=3498 auid=4294967295 uid=401 gid=401 euid=401 suid=401 fsuid=401 egid=401 sgid=401 fsgid=401 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)

Hash: 7370616D64206368696C64,spamd_t,unreserved_port_t,tcp_socket,name_connect
Comment 5 Vit Mojzis 2015-12-09 11:47:56 EST
    
commit cdfb8f857496356e08af0f06bacea652ef98630b
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Wed Dec 9 17:25:43 2015 +0100

    Allow spamd_t connecting to unreserved ports. #1285425
    Necessary for communication with antivirus. viz. #1248785


https://github.com/fedora-selinux/selinux-policy/pull/80
Comment 6 Fedora Update System 2016-01-18 08:20:23 EST
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 7 Fedora Update System 2016-01-19 22:53:40 EST
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4
Comment 8 Fedora Update System 2016-02-15 12:47:23 EST
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 9 Fedora Update System 2016-02-17 01:26:27 EST
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 10 Fedora Update System 2016-02-18 07:28:22 EST
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 11 Fedora Update System 2016-02-21 13:29:21 EST
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab
Comment 12 Fedora Update System 2016-05-10 13:56:07 EDT
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.