Bug 1285425 - SELinux is preventing /usr/bin/perl from name_connect
Summary: SELinux is preventing /usr/bin/perl from name_connect
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 22
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Vit Mojzis
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-25 14:55 UTC by dan
Modified: 2016-05-10 17:57 UTC (History)
6 users (show)

Fixed In Version: selinux-policy-3.13.1-128.23.fc22 selinux-policy-3.13.1-128.28.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-10 17:57:28 UTC


Attachments (Terms of Use)

Description dan 2015-11-25 14:55:31 UTC
Description of problem:

/usr/bin/perl is being denied name_connect on unreserved tcp sockets.

How reproducible:

Always reproduceable.

Steps to Reproduce:

Using the ClamAV.pm perl module called by spamassasin, any attempt to scan a message triggers this error.  Setting the spamd process domain to permissive allows the connect to proceed.

xref bug #1248785

Comment 2 Vit Mojzis 2015-11-26 07:47:15 UTC
Since you are using custom configuration, could you please provide related AVC's in permissive mode?

#setenforce 0
<reproduce the issue>
#ausearch -m avc -ts recent
<or /var/log/audit/audit.log>
#setenforce 1

Comment 3 dan 2015-11-26 16:57:24 UTC
Updated to properly show that it is /usr/bin/perl being denied the name_connect.

Comment 4 dan 2015-11-26 17:03:14 UTC
Here is an example:

Raw Audit Messages
type=AVC msg=audit(1448557215.888:6073): avc:  denied  { name_connect } for  pid=3498 comm=7370616D64206368696C64 dest=1948 scontext=system_u:system_r:spamd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1


type=SYSCALL msg=audit(1448557215.888:6073): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=b a1=6650150 a2=10 a3=f50 items=0 ppid=18216 pid=3498 auid=4294967295 uid=401 gid=401 euid=401 suid=401 fsuid=401 egid=401 sgid=401 fsgid=401 tty=(none) ses=4294967295 comm=7370616D64206368696C64 exe=/usr/bin/perl subj=system_u:system_r:spamd_t:s0 key=(null)

Hash: 7370616D64206368696C64,spamd_t,unreserved_port_t,tcp_socket,name_connect

Comment 5 Vit Mojzis 2015-12-09 16:47:56 UTC
    
commit cdfb8f857496356e08af0f06bacea652ef98630b
Author: Vit Mojzis <vmojzis@redhat.com>
Date:   Wed Dec 9 17:25:43 2015 +0100

    Allow spamd_t connecting to unreserved ports. #1285425
    Necessary for communication with antivirus. viz. #1248785


https://github.com/fedora-selinux/selinux-policy/pull/80

Comment 6 Fedora Update System 2016-01-18 13:20:23 UTC
selinux-policy-3.13.1-128.25.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 7 Fedora Update System 2016-01-20 03:53:40 UTC
selinux-policy-3.13.1-128.25.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-825869e1a4

Comment 8 Fedora Update System 2016-02-15 17:47:23 UTC
selinux-policy-3.13.1-128.27.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 9 Fedora Update System 2016-02-17 06:26:27 UTC
selinux-policy-3.13.1-128.27.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 10 Fedora Update System 2016-02-18 12:28:22 UTC
selinux-policy-3.13.1-128.28.fc22 has been submitted as an update to Fedora 22. https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 11 Fedora Update System 2016-02-21 18:29:21 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ce419c9cab

Comment 12 Fedora Update System 2016-05-10 17:56:07 UTC
selinux-policy-3.13.1-128.28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.