Bug 783924 - unable to start ktorrent
Summary: unable to start ktorrent
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-23 09:36 UTC by Marcus Moeller
Modified: 2012-01-23 13:23 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-01-23 13:14:46 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Marcus Moeller 2012-01-23 09:36:43 UTC 
Description of problem:
We are using staff_u. After the latest policy update, we are unable to start ktorrent (and maybe similar applications that are binding sockets):

="ktorrent" exe="/usr/bin/ktorrent" subj=staff_u:staff_r:staff_t:s0 key=(null)
type=AVC msg=audit(1327310917.747:243): avc:  denied  { name_bind } for  pid=4495 comm="ktorrent" src=6881 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1327310917.747:243): arch=c000003e syscall=49 success=no exit=-13 a0=10 a1=168a6b0 a2=10 a3=7fffcb0ee9cc items=0 ppid=4494 pid=4495 auid=19187 uid=19187 gid=1029 euid=19187 suid=19187 fsuid=19187 egid=1029 sgid=1029 fsgid=1029 tty=(none) ses=5 comm="ktorrent" exe="/usr/bin/ktorrent" subj=staff_u:staff_r:staff_t:s0 key=(null)

audit2allow output:

#============= staff_t ==============                                                                          
#!!!! This avc can be allowed using one of the these booleans:                                                                       

#     user_tcp_server, allow_ypbind                                                                                                   
allow staff_t unreserved_port_t:tcp_socket name_bind;

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-72.fc16.noarch
Comment 1 Miroslav Grepl 2012-01-23 13:14:46 UTC 
You will need to turn on the user_tcp_server boolean.

setsebool -P user_tcp_server 1
Comment 2 Marcus Moeller 2012-01-23 13:23:50 UTC 
That's clear. The question is why it's disable now by default. This prevents users from starting a lot of programs.
Note You need to log in before you can comment on or make changes to this bug.