Summary: SELinux is preventing /usr/libexec/hal-dccm "name_connect" access . Detailed Description: SELinux denied access requested by hal-dccm. It is not expected that this access is required by hal-dccm and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context system_u:system_r:hald_dccm_t:s0 Target Context system_u:object_r:ftp_port_t:s0 Target Objects None [ tcp_socket ] Source hal-dccm Source Path /usr/libexec/hal-dccm Port 990 Host (removed) Source RPM Packages synce-hal-0.15-1.fc12 Target RPM Packages Policy RPM selinux-policy-3.6.32-118.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.32.14-127.fc12.x86_64 #1 SMP Fri May 28 04:30:39 UTC 2010 x86_64 x86_64 Alert Count 52 First Seen Mon 28 Jun 2010 02:33:55 PM BST Last Seen Mon 28 Jun 2010 02:44:00 PM BST Local ID a4b63f39-d472-4074-83ec-771045457a9d Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1277732640.547:175): avc: denied { name_connect } for pid=21252 comm="hal-dccm" dest=990 scontext=system_u:system_r:hald_dccm_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket node=(removed) type=SYSCALL msg=audit(1277732640.547:175): arch=c000003e syscall=42 success=no exit=-13 a0=9 a1=1144630 a2=10 a3=0 items=0 ppid=1510 pid=21252 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="hal-dccm" exe="/usr/libexec/hal-dccm" subj=system_u:system_r:hald_dccm_t:s0 key=(null) Hash String generated from catchall,hal-dccm,hald_dccm_t,ftp_port_t,tcp_socket,name_connect audit2allow suggests: #============= hald_dccm_t ============== allow hald_dccm_t ftp_port_t:tcp_socket name_connect;
Any idea why hald-dccm would be trying to connect to ftp? It is allowed to bind to the ftp port, but does it need to connect to ftp ports also?
I've never heard of hald-dccm, a quick google suggests it's something to do with synCe rather than hal.
It *is* a part of synce. I get these messages when plugging in a WinCE device to Fedora12. After installing synce, but no additional configuration. Even though it claims that hald_dccm_t is a permissive label the connectivity doesn't work correctly, so there is clearly something else wrong too.
Digging a bit further port 990 is not used for ftps in ActiveSync devices but for a Microsoft protocol called RAPI.
Ok then it is legit. Miroslav can you add this permission.
Fixed in selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.6.32-120.fc12
selinux-policy-3.6.32-120.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
This bug appears to have come back as of selinux-policy-3.7.19-74.fc13.
Please open a new bug for F13. Thank you.