Hide Forgot
SELinux is preventing /usr/libexec/telepathy-haze from 'name_connect' accesses on the tcp_socket port 4444. ***** Plugin catchall (100. confidence) suggests *************************** If you believe that telepathy-haze should be allowed name_connect access on the port 4444 tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep telepathy-haze /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0 .c1023 Target Context system_u:object_r:kerberos_master_port_t:s0 Target Objects port 4444 [ tcp_socket ] Source telepathy-haze Source Path /usr/libexec/telepathy-haze Port 4444 Host (removed) Source RPM Packages telepathy-haze-0.4.0-3.fc15 Target RPM Packages Policy RPM selinux-policy-3.9.16-5.fc15 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 2.6.38-1.fc15.x86_64 #1 SMP Tue Mar 15 05:29:00 UTC 2011 x86_64 x86_64 Alert Count 16 First Seen Fri 18 Mar 2011 07:14:01 PM EDT Last Seen Tue 22 Mar 2011 07:02:38 PM EDT Local ID c179560b-2b3d-4fc2-afba-1bb9a15cb11f Raw Audit Messages type=AVC msg=audit(1300834958.833:85): avc: denied { name_connect } for pid=2069 comm="telepathy-haze" dest=4444 scontext=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 tcontext=system_u:object_r:kerberos_master_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1300834958.833:85): arch=x86_64 syscall=connect success=no exit=EACCES a0=7 a1=1961e30 a2=10 a3=1 items=0 ppid=1 pid=2069 auid=501 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=telepathy-haze exe=/usr/libexec/telepathy-haze subj=unconfined_u:unconfined_r:telepathy_msn_t:s0-s0:c0.c1023 key=(null) Hash: telepathy-haze,telepathy_msn_t,kerberos_master_port_t,tcp_socket,name_connect audit2allow #============= telepathy_msn_t ============== allow telepathy_msn_t kerberos_master_port_t:tcp_socket name_connect; audit2allow -R #============= telepathy_msn_t ============== allow telepathy_msn_t kerberos_master_port_t:tcp_socket name_connect;
Nalin and Simo should port 4444 be labeled as the kerberos_master_port as opposed to just the kerberos_port. Currently the only confined app that can talk to port 4444 is winbind. From the services definition it looks like clients that need to talk to a kerberos v4 service would need to talk to this port? grep 4444/tcp /etc/services krb524 4444/tcp nv-video # Kerberos 5 to 4 ticket xlator
Clients that want to use v4 which have access to a v5 ticket can contact a 524 server to have it send them a v4 ticket. It's a service that any KDC host could provide (or for that matter, any service with a keytab, for just the services for which it has keys). If that's what kerberos_port is, then changing the label makes sense.
semanage port -l | grep kerberos kerberos_admin_port_t tcp 749 kerberos_master_port_t tcp 4444 kerberos_master_port_t udp 4444 kerberos_password_port_t tcp 464 kerberos_password_port_t udp 464 kerberos_port_t tcp 88, 750 kerberos_port_t udp 88, 750 This is our current break down. I am suggesting we remove kerberos_master_port_t and move 4444 to kerberos_port_t. I believe any app that needs to connect to port 88 or 750 also probably could connect to a port listening on 4444.
(In reply to comment #3) > I believe any app > that needs to connect to port 88 or 750 also probably could connect to a port > listening on 4444. Yes, I agree that's reasonable.
Fixed in selinux-policy-3.9.16-7.fc15