Bug 533438 - SELinux is preventing /usr/bin/python from connecting to port 38555.
Summary: SELinux is preventing /usr/bin/python from connecting to port 38555.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: abrt
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Jiri Moskovcak
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:f5fba03b09b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-06 18:54 UTC by Ví­ctor Daniel
Modified: 2015-02-01 22:49 UTC (History)
12 users (show)

Fixed In Version: 1.0.0-1.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-01 04:38:06 UTC


Attachments (Terms of Use)

Description Ví­ctor Daniel 2009-11-06 18:54:29 UTC
Summary:

SELinux is preventing /usr/bin/python from connecting to port 38555.

Detailed Description:

SELinux has denied yum from connecting to a network port 38555 which does not
have an SELinux type associated with it. If yum should be allowed to connect on
38555, use the semanage command to assign 38555 to a port type that abrt_t can
connect to (http_port_t).
If yum is not supposed to connect to 38555, this could signal a intrusion
attempt.

Allowing Access:

If you want to allow yum to connect to 38555, you can execute
semanage port -a -t PORT_TYPE -p tcp 38555
where PORT_TYPE is one of the following: http_port_t.

Additional Information:

Source Context                system_u:system_r:abrt_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        yum
Source Path                   /usr/bin/python
Port                          38555
Host                          (removed)
Source RPM Packages           python-2.6.2-2.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-40.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-115.fc12.i686 #1 SMP
                              Wed Nov 4 00:45:40 EST 2009 i686 i686
Alert Count                   1
First Seen                    Thu 05 Nov 2009 11:08:33 PM COT
Last Seen                     Thu 05 Nov 2009 11:08:33 PM COT
Local ID                      7f9ed28b-12ca-4b0c-99f2-966c6d48ea0a
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1257480513.7:18768): avc:  denied  { name_connect } for  pid=4767 comm="yum" dest=38555 scontext=system_u:system_r:abrt_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1257480513.7:18768): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=bfbef6b0 a2=618f80 a3=bfbef91c items=0 ppid=4766 pid=4767 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="yum" exe="/usr/bin/python" subj=system_u:system_r:abrt_t:s0 key=(null)



Hash String generated from  selinux-policy-3.6.32-40.fc12,connect_ports,yum,abrt_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= abrt_t ==============
allow abrt_t port_t:tcp_socket name_connect;

Comment 1 Daniel Walsh 2009-11-06 19:34:15 UTC
Why would yum be trying to connect to this port?

Comment 2 cheguaka 2009-11-06 22:15:40 UTC
Related with this:

https://bugzilla.redhat.com/show_bug.cgi?id=533502
https://bugzilla.redhat.com/show_bug.cgi?id=533439

I was trying to connect irc whit telepathy, but telepathy-idle, crashed. abrt
poped, and I tried to submit the bug.abrt tried to download 29 debuginfo
packages via yum, the the three selinux errors  came.

Comment 3 James Antill 2009-11-09 14:28:54 UTC
I've no idea why yum would want to connect to this port. I guess if the user has a network local mirror which is defined as:

 http://local.example.com:38555/fedora


...that would do it.

Comment 4 cheguaka 2009-11-09 16:37:02 UTC
I haven't a network local mirror...

It's a live USB image without overlay persistence.

This bug -> 533690 was filed after the same steps.

1.- telepathy-idle crash
2.- abrt pop
3.- Download of debuginfo...

The final step is https://bugzilla.redhat.com/show_bug.cgi?id=518390#c4 because of the bug 518390 duplicated in 533589 (I also have a wifi enabled by networkmanager applet)

Comment 5 James Antill 2009-11-09 17:01:31 UTC
Can you run: fgrep 3855 /var/cache/yum/*/metalink.xml /var/cache/yum/*/mirrorlist.txt

Comment 6 seth vidal 2009-11-09 17:09:09 UTC
http://isc.sans.org/port.html?port=38555

we sure there isn't something else here?

Comment 7 cheguaka 2009-11-09 17:29:20 UTC
Don't know what you mean. This pair of pair of bugs were filed with the same steps. Ports differ.

bug 533438    	med  	low  	Linu  	jmoskovc@redhat.com  	NEW  	  	SELinux is preventing /usr/bin/python from connecting to port 38555.
bug 533439 	med 	low 	Linu 	jmoskovc@redhat.com 	CLOS 	RAWHIDE 	SELinux is preventing /usr/bin/python "name_connect" access. 

bug 533689    	med  	low  	Linu  	dwalsh@redhat.com  	CLOS  	DUPLICATE  	SELinux is preventing /usr/bin/python "name_connect" access.
bug 533690 	med 	low 	Linu 	dwalsh@redhat.com 	CLOS 	RAWHIDE 	SELinux is preventing /usr/bin/python from connecting to port 18475.

Comment 8 seth vidal 2009-11-09 18:35:58 UTC
Is there a complete url that the process is attempting to access?

I can't seem to find it in the output.

It might help me understand what is going on here.

Comment 9 cheguaka 2009-11-09 22:50:17 UTC
I think it has to do with this bug https://bugzilla.redhat.com/show_bug.cgi?id=518390. Because if I restart abrt before I try to send the bug, setroubleshoot doesn't pop with this error.

Then continues with 

[root@localhost ~]# ps -ef | grep -i python
liveuser  1763  1641  0 22:58 ?        00:00:00 python /usr/share/system-config-printer/applet.py
liveuser  2123     1  0 22:59 ?        00:00:03 /usr/bin/python /usr/libexec/telepathy-butterfly
root      2286     1  0 23:11 ?        00:00:02 /usr/bin/python -E /usr/sbin/setroubleshootd -f 
liveuser  2295     1  0 23:11 ?        00:00:03 /usr/bin/python -E /usr/bin/sealert -s
liveuser  2330     1  2 23:16 ?        00:00:43 /usr/bin/python /usr/share/abrt/CCMainWindow.py
root      2599  2333  1 23:46 ?        00:00:02 /usr/bin/python /usr/bin/yumdownloader --enablerepo=*debuginfo* --quiet glibc-debuginfo-2.11-2.i686
root      2603  2067  0 23:48 pts/0    00:00:00 grep -i python
[root@localhost ~]# ps -ef | grep -i abrt
liveuser  1912  1641  0 22:58 ?        00:00:00 abrt-applet
root      2098     1  0 22:59 ?        00:00:00 /usr/sbin/abrtd
liveuser  2330     1  2 23:16 ?        00:00:45 /usr/bin/python /usr/share/abrt/CCMainWindow.py
liveuser  2332  2098  0 23:16 ?        00:00:00 /usr/sbin/abrtd
root      2333  2098  0 23:16 ?        00:00:00 /bin/sh /usr/bin/abrt-debuginfo-install /var/cache/abrt/ccpp-1257826416-2101/coredump /var/run/abrt/tmp-2333-1257826571 /var/cache/abrt-di



¿Makes it sense?

Comment 10 cheguaka 2009-11-10 19:36:46 UTC
Tested against 

http://alt.fedoraproject.org/pub/alt/nightly-composes/desktop/desktop-i386-20091109.15.iso

Only this bug 533427 stays.

Can't reproduce this bug. 

No mirrorlist.txt file behind /var/cache/yum

[root@localhost yum]# fgrep 3855 /var/cache/yum/*/*/*/metalink.xml
[root@localhost yum]# 
Nothing.

#9 was tested against this image too. So bug 518390 seems unrelated. Perhaps closed bug 533439 bug 533690 did the job.

Comment 11 Daniel Walsh 2009-11-10 19:44:38 UTC
I now allow abrt to connect to any port.  I had several other bugs where abrt was connecting to semi-random ports.

selinux-policy-targeted-3.6.32-43.fc12.noarch

Comment 12 Fedora Update System 2009-11-22 20:44:26 UTC
abrt-1.0.0-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/abrt-1.0.0-1.fc12

Comment 13 Fedora Update System 2009-11-25 15:10:24 UTC
abrt-1.0.0-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update abrt'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12098

Comment 14 Fedora Update System 2009-12-01 04:37:09 UTC
abrt-1.0.0-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.