Summary: SELinux is preventing npviewer.bin (nsplugin_t) "name_connect" http_cache_port_t. Detailed Description: SELinux denied access requested by npviewer.bin. It is not expected that this access is required by npviewer.bin and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c102 3 Target Context system_u:object_r:http_cache_port_t:s0 Target Objects None [ tcp_socket ] Source npviewer.bin Source Path /usr/lib/nspluginwrapper/npviewer.bin Port 8080 Host ethanol Source RPM Packages nspluginwrapper-1.1.0-11.fc10 Target RPM Packages Policy RPM selinux-policy-3.5.12-2.fc10 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name ethanol Platform Linux ethanol 2.6.27-13.fc10.i686 #1 SMP Wed Oct 15 02:06:26 EDT 2008 i686 i686 Alert Count 1 First Seen Thu 16 Oct 2008 07:22:23 PM MDT Last Seen Thu 16 Oct 2008 07:22:23 PM MDT Local ID 0e82ec4f-c992-4f3d-ae71-f2a23dd4ffcd Line Numbers Raw Audit Messages node=ethanol type=AVC msg=audit(1224206543.793:461): avc: denied { name_connect } for pid=17093 comm="npviewer.bin" dest=8080 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_cache_port_t:s0 tclass=tcp_socket node=ethanol type=SYSCALL msg=audit(1224206543.793:461): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=b2304240 a2=1575de8 a3=0 items=0 ppid=3791 pid=17093 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Alex, there's a new version of nspluginwrapper since you posted this, did it fix your problem?
Since it is currently allowed to connect to http_ports I guess we can allow it to connect to http_cache_ports You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.5.13-6.fc10
Chris, I think the nspluginwrapper updates may have fixed the issue as well (but I can't tell). Looking at my SELinux troubleshooter logs, I haven't seen any incidents since 18 October. I know that I've definitely pulled all rawhide updates since then and have continued using my system normally. Sorry for the vague answer, I'll try and take better notes next time (including a reproducer, perhaps).