libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.2-8.fc17.x86_64 time: Monday 23 April 2012 12:08:23 AM IST description: :SELinux is preventing /usr/lib64/xulrunner-2/plugin-container from 'name_connect' accesses on the tcp_socket . : :***** Plugin connect_ports (92.2 confidence) suggests ********************** : :If you want to allow /usr/lib64/xulrunner-2/plugin-container to connect to network port 190 :Then you need to modify the port type. :Do :# semanage port -a -t PORT_TYPE -p tcp 190 : where PORT_TYPE is one of the following: mmcc_port_t, ipp_port_t, streaming_port_t, port_t, ephemeral_port_type, ftp_port_t, dns_port_t, speech_port_t, http_cache_port_t, http_port_t, squid_port_t, pulseaudio_port_t, flash_port_t, unreserved_port_t, dns_port_t, kerberos_port_t, ocsp_port_t. : :***** Plugin catchall_boolean (7.83 confidence) suggests ******************* : :If you want to allow system to run with NIS :Then you must tell SELinux about this by enabling the 'allow_ypbind'boolean. :Do :setsebool -P allow_ypbind 1 : :***** Plugin catchall (1.41 confidence) suggests *************************** : :If you believe that plugin-container should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context system_u:object_r:reserved_port_t:s0 :Target Objects [ tcp_socket ] :Source plugin-containe :Source Path /usr/lib64/xulrunner-2/plugin-container :Port 190 :Host (removed) :Source RPM Packages xulrunner-11.0-3.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-116.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.2-8.fc17.x86_64 #1 SMP Sat Apr : 21 12:44:25 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen Sunday 22 April 2012 09:56:19 PM IST :Last Seen Sunday 22 April 2012 09:56:19 PM IST :Local ID 924f2b3f-fc37-47df-9856-2d473b14a41a : :Raw Audit Messages :type=AVC msg=audit(1335111979.201:410): avc: denied { name_connect } for pid=14103 comm="plugin-containe" dest=190 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1335111979.201:410): arch=x86_64 syscall=connect success=no exit=EACCES a0=10 a1=7fb1b8a4feb0 a2=10 a3=7fb1b1f37450 items=0 ppid=2295 pid=14103 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=plugin-containe exe=/usr/lib64/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: plugin-containe,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :************************************************************* : :Hello, : :I really have no idea about what 'plugin-container' should and should not do. I've therefore reported the bug so you folks can make the decision. : :Thanks, :Ankur
Do you know what you were doing when this happened?
I can't be certain: I was working on something so I had my notifications turned off. The only thing I remember doing out of the ordinary was use https://facebook.com instead of http://facebook.com. It could be that, but unfortunately, I cannot be a 100% certain :/
I can not find anything on the internet about port 190. This is strange, if it happens again
I think we can close this one since I haven't enough info to help you folks? If it happens again, I'll note exactly what caused it and you can take a look at it?
Going to http://chatroulette.com/ produces a similar error about connection to port 81 being blocked. I am not sure how much value there is in restricting the ports that Flash is connecting to, as it's hard to predict what ports will be used.
You might be right, although I would like to prevent it from sending to mail ports.