Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 590309 - SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from connecting to port 58974.
Summary: SELinux is preventing /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/...
Keywords:
Status: CLOSED DUPLICATE of bug 590308
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:60e673777a6...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-08 18:44 UTC by Reinhard
Modified: 2010-05-10 11:24 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-10 11:24:55 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Reinhard 2010-05-08 18:44:39 UTC 
Zusammenfassung:

SELinux is preventing
/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java from connecting to
port 58974.

Detaillierte Beschreibung:

[SELinux ist in freizügigem Modus. Dieser Zugriff wurde nicht verweigert.]

SELinux has denied java from connecting to a network port 58974 which does not
have an SELinux type associated with it. If java should be allowed to connect on
58974, use the semanage command to assign 58974 to a port type that
abrt_helper_t can connect to (ldap_port_t, dns_port_t, kerberos_port_t,
ocsp_port_t).
If java is not supposed to connect to 58974, this could signal a intrusion
attempt.

Zugriff erlauben:

If you want to allow java to connect to 58974, you can execute
semanage port -a -t PORT_TYPE -p tcp 58974
where PORT_TYPE is one of the following: ldap_port_t, dns_port_t,
kerberos_port_t, ocsp_port_t.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023
Zielkontext                   system_u:object_r:port_t:s0
Zielobjekte                   None [ tcp_socket ]
Quelle                        java
Quellpfad                     /usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre
                              /bin/java
Port                          58974
Host                          (removed)
RPM-Pakete der Quelle         java-1.6.0-openjdk-1.6.0.0-37.b17.fc12
RPM-Pakete des Ziels          
Richtlinien-RPM               selinux-policy-3.6.32-113.fc12
SELinux aktiviert             True
Richtlinientyp                targeted
Enforcing-Modus               Permissive
Plugin-Name                   connect_ports
Rechnername                   (removed)
Plattform                     Linux (removed)
                              2.6.32.11-99.fc12.x86_64 #1 SMP Mon Apr 5 19:59:38
                              UTC 2010 x86_64 x86_64
Anzahl der Alarme             0
Zuerst gesehen                Sa 08 Mai 2010 20:40:43 CEST
Zuletzt gesehen               Sa 08 Mai 2010 20:40:43 CEST
Lokale ID                     7e4bb7a6-2706-49ce-aec1-e291e83e8cd0
Zeilennummern                 

Raw-Audit-Meldungen           

node=(removed) type=AVC msg=audit(1273344043.170:26127): avc:  denied  { name_connect } for  pid=4247 comm="java" dest=58974 scontext=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1273344043.170:26127): arch=c000003e syscall=42 success=yes exit=0 a0=88 a1=7f4698aa5c20 a2=1c a3=7f4698aa59b0 items=0 ppid=4149 pid=4247 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=7 comm="java" exe="/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre/bin/java" subj=unconfined_u:system_r:abrt_helper_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  connect_ports,java,abrt_helper_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= abrt_helper_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow abrt_helper_t port_t:tcp_socket name_connect;
Comment 1 Miroslav Grepl 2010-05-10 11:24:55 UTC 

*** This bug has been marked as a duplicate of bug 590308 ***
Note You need to log in before you can comment on or make changes to this bug.