475918 – SELinux errors on npviewer.bin port 2505

Bug 475918 - SELinux errors on npviewer.bin port 2505

Summary: SELinux errors on npviewer.bin port 2505

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	10
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-11 04:30 UTC by Rick Chu
Modified:	2009-01-08 18:36 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-08 18:36:52 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Rick Chu 2008-12-11 04:30:29 UTC

Description of problem:
SELinux is preventing the npviewer.bin(nsplugin_t) from connecting to port 2505.

Version-Release number of selected component (if applicable):
Adobe flash  10.0.12.36

How reproducible:
The setroubleshoot browser shows a count of 4, however I'm not sure how to reproduce the error.

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info: Taken from setroubleshoot browser:
Source Context:  unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  npviewer.bin
Source Path:  /usr/lib/nspluginwrapper/npviewer.bin
Port:  2505
Host:  mercury
Source RPM Packages:  nspluginwrapper-1.1.2-4.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-26.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  connect_ports
Host Name:  mercury
Platform:  Linux mercury 2.6.27.7-134.fc10.i686 #1 SMP Mon Dec 1 22:42:50 EST 2008 i686 i686
Alert Count:  4
First Seen:  Wed 10 Dec 2008 02:39:05 PM EST
Last Seen:  Wed 10 Dec 2008 02:39:25 PM EST
Local ID:  8da37282-8301-475f-a0e0-5f4a622aaa22
Line Numbers:  

Raw Audit Messages :

node=mercury type=AVC msg=audit(1228937965.526:61): avc: denied { name_connect } for pid=4702 comm="npviewer.bin" dest=2505 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 

node=mercury type=SYSCALL msg=audit(1228937965.526:61): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=2c6b200 a2=1761924 a3=0 items=0 ppid=3011 pid=4702 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-01-06 14:44:14 UTC

Please update to the latest selinux policy.

Do you know what site you went to that caused this AVC?

Comment 2 Daniel Walsh 2009-01-08 18:36:52 UTC

If you upgrade to the latest policy the transition to nsplugin will be removed, so this is "fixed"  The question is whether or not this is a legitimate port to connect to.

Note You need to log in before you can comment on or make changes to this bug.