Bug 475918 - SELinux errors on npviewer.bin port 2505
SELinux errors on npviewer.bin port 2505
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-10 23:30 EST by Rick Chu
Modified: 2009-01-08 13:36 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-01-08 13:36:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Rick Chu 2008-12-10 23:30:29 EST
Description of problem:
SELinux is preventing the npviewer.bin(nsplugin_t) from connecting to port 2505.

Version-Release number of selected component (if applicable):
Adobe flash

How reproducible:
The setroubleshoot browser shows a count of 4, however I'm not sure how to reproduce the error.

Steps to Reproduce:
Actual results:

Expected results:

Additional info: Taken from setroubleshoot browser:
Source Context:  unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:port_t:s0
Target Objects:  None [ tcp_socket ]
Source:  npviewer.bin
Source Path:  /usr/lib/nspluginwrapper/npviewer.bin
Port:  2505
Host:  mercury
Source RPM Packages:  nspluginwrapper-1.1.2-4.fc10
Target RPM Packages:  
Policy RPM:  selinux-policy-3.5.13-26.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  connect_ports
Host Name:  mercury
Platform:  Linux mercury #1 SMP Mon Dec 1 22:42:50 EST 2008 i686 i686
Alert Count:  4
First Seen:  Wed 10 Dec 2008 02:39:05 PM EST
Last Seen:  Wed 10 Dec 2008 02:39:25 PM EST
Local ID:  8da37282-8301-475f-a0e0-5f4a622aaa22
Line Numbers:  

Raw Audit Messages :

node=mercury type=AVC msg=audit(1228937965.526:61): avc: denied { name_connect } for pid=4702 comm="npviewer.bin" dest=2505 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket 

node=mercury type=SYSCALL msg=audit(1228937965.526:61): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=2c6b200 a2=1761924 a3=0 items=0 ppid=3011 pid=4702 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-01-06 09:44:14 EST
Please update to the latest selinux policy.

Do you know what site you went to that caused this AVC?
Comment 2 Daniel Walsh 2009-01-08 13:36:52 EST
If you upgrade to the latest policy the transition to nsplugin will be removed, so this is "fixed"  The question is whether or not this is a legitimate port to connect to.

Note You need to log in before you can comment on or make changes to this bug.