libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.4-5.fc17.x86_64 time: sab 26 mag 2012 06:05:49 CEST description: :SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket . : :***** Plugin connect_ports (99.5 confidence) suggests ********************** : :If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 364 :Then you need to modify the port type. :Do :# semanage port -a -t TIPO_PORTA -p tcp 364 : dove TIPO_PORTA è una delle seguenti: dns_port_t, mmcc_port_t, ipp_port_t, couchdb_port_t, streaming_port_t, port_t, vnc_port_t, ephemeral_port_type, ftp_port_t, speech_port_t, dns_port_t, http_cache_port_t, http_port_t, squid_port_t, pulseaudio_port_t, flash_port_t, unreserved_port_t, ocsp_port_t, kerberos_port_t. : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If si crede che totem-plugin-viewer dovrebbe avere possibilità di accesso name_connect sui tcp_socket in modo predefinito. :Then si dovrebbe riportare il problema come bug. :E' possibile generare un modulo di politica locale per consentire questo accesso. :Do :consentire questo accesso per il momento eseguendo: :# grep source:src /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context system_u:object_r:reserved_port_t:s0 :Target Objects [ tcp_socket ] :Source source:src :Source Path /usr/libexec/totem-plugin-viewer :Port 364 :Host (removed) :Source RPM Packages totem-mozplugin-3.4.1-3.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-121.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7 : 17:29:34 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen sab 26 mag 2012 01:38:42 CEST :Last Seen sab 26 mag 2012 01:38:42 CEST :Local ID acea02e8-f747-4485-ba98-0edb2c36c3df : :Raw Audit Messages :type=AVC msg=audit(1337989122.982:202): avc: denied { name_connect } for pid=5215 comm="source:src" dest=364 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1337989122.982:202): arch=x86_64 syscall=connect success=no exit=EACCES a0=f a1=7f15051236c0 a2=10 a3=3283c05ef2 items=0 ppid=1 pid=5215 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Do you know what you were doing?
I was listening to a radio stream, but I can not reproduce the error, I do not know why. http://www.radioglobo.it/streaming.asp?webradio=RADIO
Ok, could you reopen if you get this again. Thank you.
ok,thank you so much
its not possible to publish this bug via abrt because it says "NOTABUG" - thats evil! I can reproduce it - always. Go to a streaming site which streams an avi file which should be opened by totem. thats it - the error will occur. I get this always when i want to watch some movies. Of course not copyright protected ones. If someone is able to change the state please do so. I can not as i have no permissions.
oliver are you seeing it for port 364 also?
I dont know, how can i check that? Thats the message: SELinux is preventing /usr/libexec/totem-plugin-viewer from name_connect access on the tcp_socket . ***** Plugin connect_ports (99.5 confidence) suggests ********************** If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 182 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 182 wobei PORT_TYPE einer der folgenden Werte ist: mmcc_port_t, dns_port_t, asterisk_port_t, ipp_port_t, couchdb_port_t, streaming_port_t, port_t, vnc_port_t, gatekeeper_port_t, ephemeral_port_type, ftp_port_t, speech_port_t, http_cache_port_t, dns_port_t, http_port_t, squid_port_t, ircd_port_t, pulseaudio_port_t, flash_port_t, unreserved_port_t, jabber_client_port_t, monopd_port_t, soundd_port_t, ocsp_port_t, kerberos_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If sie denken, dass totem-plugin-viewer standardmässig erlaubt sein sollte, name_connect Zugriff auf tcp_socket zu erhalten. Then sie sollten dies als Fehler melden. Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen. Do zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen: # grep source:src /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:reserved_port_t:s0 Target Objects [ tcp_socket ] Source source:src Source Path /usr/libexec/totem-plugin-viewer Port 182 Host lucymobil Source RPM Packages totem-mozplugin-3.4.3-1.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-146.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name lucymobil Platform Linux lucymobil 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug 29 18:46:34 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen 2012-09-04 11:24:02 CEST Last Seen 2012-09-05 00:29:10 CEST Local ID a269a679-bd96-46da-969b-453fcec3b4d0 Raw Audit Messages type=AVC msg=audit(1346797750.552:181): avc: denied { name_connect } for pid=4718 comm="source:src" dest=182 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1346797750.552:181): arch=x86_64 syscall=connect success=no exit=EACCES a0=f a1=7f9e098186c0 a2=10 a3=38adc05ef2 items=0 ppid=1 pid=4718 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect audit2allow #============= mozilla_plugin_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect; audit2allow -R #============= mozilla_plugin_t ============== #!!!! This avc can be allowed using the boolean 'allow_ypbind' allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect;
So it connects also to random reserved ports. I added tunable_policy(`mozilla_plugin_can_network_connect',` corenet_tcp_connect_unreserved_ports(mozilla_plugin_t) ') to policy. But I don't like to allow it also for reserved port types.
I think it is just better to turn off the transiton in this case. setsebool -P unconfined_mozilla_plugin_transition 0 If people want their plugins connecting to random ports, might as well turn off the protection.
There was also another bug where we decided to add this boolean.
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
Package selinux-policy-3.10.0-149.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.