Bug 600314 - SELinux is preventing /usr/local/bin/cnijnetprn from binding to port 8611.
Summary: SELinux is preventing /usr/local/bin/cnijnetprn from binding to port 8611.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:20cdc7dddae...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-06-04 12:34 UTC by mgerbabuena
Modified: 2010-06-04 14:00 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-04 14:00:09 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description mgerbabuena 2010-06-04 12:34:40 UTC 
Summary:

SELinux is preventing /usr/local/bin/cnijnetprn from binding to port 8611.

Detailed Description:

SELinux has denied the cnijnetprn from binding to a network port 8611 which does
not have an SELinux type associated with it. If cnijnetprn should be allowed to
listen on 8611, use the semanage command to assign 8611 to a port type that
cupsd_t can bind to (howl_port_t, ipp_port_t).
If cnijnetprn is not supposed to bind to 8611, this could signal an intrusion
attempt.

Allowing Access:

If you want to allow cnijnetprn to bind to port 8611, you can execute
# semanage port -a -t PORT_TYPE -p udp 8611
where PORT_TYPE is one of the following: howl_port_t, ipp_port_t.
If this system is running as an NIS Client, turning on the allow_ypbind boolean
may fix the problem. setsebool -P allow_ypbind=1.

Additional Information:

Source Context                system_u:system_r:cupsd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ udp_socket ]
Source                        cnijnetprn
Source Path                   /usr/local/bin/cnijnetprn
Port                          8611
Host                          (removed)
Source RPM Packages           cnijfilter-common-3.20-1
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-41.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   bind_ports
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat
                              Nov 7 21:25:57 EST 2009 i686 i686
Alert Count                   1
First Seen                    Fri 04 Jun 2010 08:12:06 PM PHT
Last Seen                     Fri 04 Jun 2010 08:12:06 PM PHT
Local ID                      0e9e70b4-738c-4ac1-9dcd-e84c62bcb7fe
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1275653526.867:22): avc:  denied  { name_bind } for  pid=2069 comm="cnijnetprn" src=8611 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:port_t:s0 tclass=udp_socket

node=(removed) type=SYSCALL msg=audit(1275653526.867:22): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfe2b030 a2=f40114 a3=1 items=0 ppid=2068 pid=2069 auid=4294967295 uid=4 gid=7 euid=4 suid=4 fsuid=4 egid=7 sgid=7 fsgid=7 tty=(none) ses=4294967295 comm="cnijnetprn" exe="/usr/local/bin/cnijnetprn" subj=system_u:system_r:cupsd_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,bind_ports,cnijnetprn,cupsd_t,port_t,udp_socket,name_bind
audit2allow suggests:

#============= cupsd_t ==============
allow cupsd_t port_t:udp_socket name_bind;
Comment 1 mgerbabuena 2010-06-04 12:42:01 UTC 
i got that bug when im trying to install the printer canon pixma mp258.

however after i installed the package for fedora 11 that i got from the canon website, i reboot the system then the printer is now working. I was able to print a test page. 

I'm not sure what is this bug
Comment 2 Daniel Walsh 2010-06-04 14:00:09 UTC 
yum -y update


Get the latest policy and reopen if this happens again.
Note You need to log in before you can comment on or make changes to this bug.