Description of problem: When trying to launch a spice client session from the RHEV webadmin interface I get an error message that states: "Unable to connect to the graphic server" Version-Release number of selected component (if applicable): spice-client-0.10.1-3.fc17.x86_64 spice-xpi-2.7-1.fc17.x86_64 firefox-12.0-1.fc17.x86_64 selinux-policy-targeted-3.10.0-118.fc17.noarch How reproducible: Always Steps to Reproduce: 1. Log in to a RHEV webadmin interface 2. Try to launch a vm's spice console Actual results: Error message pops up with the message" "Unable to connect to the graphic server" Expected results: spice client starts normally Additional info: The relevant AVC's: type=AVC msg=audit(1336061298.706:1937): avc: denied { name_connect } for pid=22592 comm="remote-viewer" dest=5900 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket type=AVC msg=audit(1336061298.710:1938): avc: denied { name_connect } for pid=22592 comm="remote-viewer" dest=5901 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket which gives the following when run through audit2allow -m; installing this module causes things to work properly: module spice-xpi 1.0; require { type vnc_port_t; type mozilla_plugin_t; class tcp_socket name_connect; } #============= mozilla_plugin_t ============== allow mozilla_plugin_t vnc_port_t:tcp_socket name_connect;
Note that the port may vary, it's not always 59XX, it could be anything afaik.
For RHEV at least the dest ports are known. RHEV uses the same range for spice and vnc. 5634 - 6166 TCP Administration Portal clients User Portal clients Red Hat Enterprise Virtualization Hypervisor(s) Red Hat Enterprise Linux host(s) Remote guest console access via VNC and Spice. These ports must be open to facilitate client access to virtual machines. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Virtualization/3.0/html-single/Installation_Guide/index.html
# senetwork vnc_port_t vnc_port_t: tcp: 5900-5983,5985-5999 If we allow mozilla_plugin_t to connect to vncports you would get all of the above. # senetwork 5984 5984: tcp couchdb_port_t 5984 I will also give it couchdb
Fixed in selinux-policy-3.10.0-121.fc17
selinux-policy-3.10.0-121.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-121.fc17
Package selinux-policy-3.10.0-121.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.