Bug 528670 - SELinux is preventing /usr/sbin/privoxy (deleted) from connecting to port 4.
Summary: SELinux is preventing /usr/sbin/privoxy (deleted) from connecting to port 4.
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:02482220360...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-10-13 09:38 UTC by ultima.ratio.regum69
Modified: 2009-10-13 15:16 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-10-13 14:24:09 UTC
Type: ---


Attachments (Terms of Use)

Description ultima.ratio.regum69 2009-10-13 09:38:12 UTC
Résumé:

SELinux is preventing /usr/sbin/privoxy (deleted) from connecting to port 4.

Description détaillée:

SELinux has denied privoxy from connecting to a network port 4 which does not
have an SELinux type associated with it. If privoxy should be allowed to connect
on 4, use the semanage command to assign 4 to a port type that privoxy_t can
connect to (tor_port_t, http_cache_port_t, http_port_t, ftp_port_t, ldap_port_t,
dns_port_t, pgpkeyserver_port_t, ocsp_port_t, kerberos_port_t).
If privoxy is not supposed to connect to 4, this could signal a intrusion
attempt.

Autoriser l'accès:

If you want to allow privoxy to connect to 4, you can execute
semanage port -a -t PORT_TYPE -p tcp 4
where PORT_TYPE is one of the following: tor_port_t, http_cache_port_t,
http_port_t, ftp_port_t, ldap_port_t, dns_port_t, pgpkeyserver_port_t,
ocsp_port_t, kerberos_port_t.

Informations complémentaires:

Contexte source               unconfined_u:system_r:privoxy_t:s0
Contexte cible                system_u:object_r:reserved_port_t:s0
Objets du contexte            None [ tcp_socket ]
source                        privoxy
Chemin de la source           /usr/sbin/privoxy (deleted)
Port                          4
Hôte                         (removed)
Paquetages RPM source         
Paquetages RPM cible          
Politique RPM                 selinux-policy-3.6.32-24.fc12
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 connect_ports
Nom de l'hôte                (removed)
Plateforme                    Linux (removed) 2.6.31.3 #1 SMP Tue Oct
                              13 17:07:53 CEST 2009 x86_64 x86_64
Compteur d'alertes            1
Première alerte              mer. 14 oct. 2009 11:23:54 CEST
Dernière alerte              mer. 14 oct. 2009 11:23:54 CEST
ID local                      3ab0be8e-3da3-4669-b256-57cbd5b8056f
Numéros des lignes           

Messages d'audit bruts        

node=(removed) type=AVC msg=audit(1255512234.809:18162): avc:  denied  { name_connect } for  pid=26771 comm="privoxy" dest=4 scontext=unconfined_u:system_r:privoxy_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1255512234.809:18162): arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7f2354005e40 a2=10 a3=7f236cab724c items=0 ppid=1 pid=26771 auid=501 uid=73 gid=73 euid=73 suid=73 fsuid=73 egid=73 sgid=73 fsgid=73 tty=(none) ses=1 comm="privoxy" exe=2F7573722F7362696E2F707269766F7879202864656C6574656429 subj=unconfined_u:system_r:privoxy_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-24.fc12,connect_ports,privoxy,privoxy_t,reserved_port_t,tcp_socket,name_connect
audit2allow suggests:

#============= privoxy_t ==============
allow privoxy_t reserved_port_t:tcp_socket name_connect;

Comment 1 Daniel Walsh 2009-10-13 14:24:09 UTC
Why is privocy trying to connect to tcp port 4?

Is this a custom configuration?  If yes do what the troubleshooter suggests.

Comment 2 ultima.ratio.regum69 2009-10-13 14:50:48 UTC
don't know why privoxy try to connect to TCP 4.
It's a standard config on a fresh install.
It happens once while connecting to google.

Comment 3 Daniel Walsh 2009-10-13 15:16:12 UTC
Ok then turn on the boolean privoxy_connect_any


setsebool -P privoxy_connect_any 1

THis will allow privoxy to connect to all tcp ports.


Note You need to log in before you can comment on or make changes to this bug.