Bug 825417 - SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' ac...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:e43ccb947bad824baf3a9928194...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-26 00:06 EDT by hellojoker
Modified: 2012-09-21 19:57 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-21 19:57:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description hellojoker 2012-05-26 00:06:09 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.3.4-5.fc17.x86_64
time:           sab 26 mag 2012 06:05:49 CEST

description:
:SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin connect_ports (99.5 confidence) suggests  **********************
:
:If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 364
:Then you need to modify the port type.
:Do
:# semanage port -a -t TIPO_PORTA -p tcp 364
:    dove TIPO_PORTA è una delle seguenti: dns_port_t, mmcc_port_t, ipp_port_t, couchdb_port_t, streaming_port_t, port_t, vnc_port_t, ephemeral_port_type, ftp_port_t, speech_port_t, dns_port_t, http_cache_port_t, http_port_t, squid_port_t, pulseaudio_port_t, flash_port_t, unreserved_port_t, ocsp_port_t, kerberos_port_t.
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If si crede che totem-plugin-viewer dovrebbe avere possibilità di accesso name_connect sui  tcp_socket in modo predefinito.
:Then si dovrebbe riportare il problema come bug.
:E' possibile generare un modulo di politica locale per consentire questo accesso.
:Do
:consentire questo accesso per il momento eseguendo:
:# grep source:src /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:reserved_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        source:src
:Source Path                   /usr/libexec/totem-plugin-viewer
:Port                          364
:Host                          (removed)
:Source RPM Packages           totem-mozplugin-3.4.1-3.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-121.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.3.4-5.fc17.x86_64 #1 SMP Mon May 7
:                              17:29:34 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    sab 26 mag 2012 01:38:42 CEST
:Last Seen                     sab 26 mag 2012 01:38:42 CEST
:Local ID                      acea02e8-f747-4485-ba98-0edb2c36c3df
:
:Raw Audit Messages
:type=AVC msg=audit(1337989122.982:202): avc:  denied  { name_connect } for  pid=5215 comm="source:src" dest=364 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1337989122.982:202): arch=x86_64 syscall=connect success=no exit=EACCES a0=f a1=7f15051236c0 a2=10 a3=3283c05ef2 items=0 ppid=1 pid=5215 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=4 comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Miroslav Grepl 2012-05-27 15:37:05 EDT
Do you know what you were doing?
Comment 2 hellojoker 2012-05-28 07:24:12 EDT
I was listening to a radio stream, but I can not reproduce the error, I do not know why.

http://www.radioglobo.it/streaming.asp?webradio=RADIO
Comment 3 Miroslav Grepl 2012-05-29 01:52:49 EDT
Ok, could you reopen if you get this again. Thank you.
Comment 4 hellojoker 2012-05-29 07:27:57 EDT
ok,thank you so much
Comment 5 oliver.zemann 2012-09-04 05:29:36 EDT
its not possible to publish this bug via abrt because it says "NOTABUG" - thats evil!

I can reproduce it - always. Go to a streaming site which streams an avi file which should be opened by totem. thats it - the error will occur. I get this always when i want to watch some movies. Of course not copyright protected ones.

If someone is able to change the state please do so. I can not as i have no permissions.
Comment 6 Daniel Walsh 2012-09-04 16:31:42 EDT
oliver are you seeing it for port 364 also?
Comment 7 oliver.zemann 2012-09-04 18:29:47 EDT
I dont know, how can i check that? Thats the message:

SELinux is preventing /usr/libexec/totem-plugin-viewer from name_connect access on the tcp_socket .

*****  Plugin connect_ports (99.5 confidence) suggests  **********************

If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 182
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 182
    wobei PORT_TYPE einer der folgenden Werte ist: mmcc_port_t, dns_port_t, asterisk_port_t, ipp_port_t, couchdb_port_t, streaming_port_t, port_t, vnc_port_t, gatekeeper_port_t, ephemeral_port_type, ftp_port_t, speech_port_t, http_cache_port_t, dns_port_t, http_port_t, squid_port_t, ircd_port_t, pulseaudio_port_t, flash_port_t, unreserved_port_t, jabber_client_port_t, monopd_port_t, soundd_port_t, ocsp_port_t, kerberos_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If sie denken, dass totem-plugin-viewer standardmässig erlaubt sein sollte, name_connect Zugriff auf  tcp_socket zu erhalten.
Then sie sollten dies als Fehler melden.
Um diesen Zugriff zu erlauben, können Sie ein lokales Richtlinien-Modul erstellen.
Do
zugriff jetzt erlauben, indem Sie die nachfolgenden Befehle ausführen:
# grep source:src /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        source:src
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          182
Host                          lucymobil
Source RPM Packages           totem-mozplugin-3.4.3-1.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lucymobil
Platform                      Linux lucymobil 3.5.3-1.fc17.x86_64 #1 SMP Wed Aug
                              29 18:46:34 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    2012-09-04 11:24:02 CEST
Last Seen                     2012-09-05 00:29:10 CEST
Local ID                      a269a679-bd96-46da-969b-453fcec3b4d0

Raw Audit Messages
type=AVC msg=audit(1346797750.552:181): avc:  denied  { name_connect } for  pid=4718 comm="source:src" dest=182 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1346797750.552:181): arch=x86_64 syscall=connect success=no exit=EACCES a0=f a1=7f9e098186c0 a2=10 a3=38adc05ef2 items=0 ppid=1 pid=4718 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=2 comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect

audit2allow

#============= mozilla_plugin_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect;

audit2allow -R

#============= mozilla_plugin_t ==============
#!!!! This avc can be allowed using the boolean 'allow_ypbind'

allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect;
Comment 8 Miroslav Grepl 2012-09-05 04:24:01 EDT
So it connects also to random reserved ports.

I added

tunable_policy(`mozilla_plugin_can_network_connect',`
    corenet_tcp_connect_unreserved_ports(mozilla_plugin_t)
')

to policy. But I don't like to allow it also for reserved port types.
Comment 9 Daniel Walsh 2012-09-06 23:55:40 EDT
I think it is just better to turn off the transiton in this case.

setsebool -P unconfined_mozilla_plugin_transition 0

If people want their plugins connecting to random ports, might as well turn off the protection.
Comment 10 Miroslav Grepl 2012-09-11 04:01:18 EDT
There was also another bug where we decided to add this boolean.
Comment 11 Fedora Update System 2012-09-17 08:12:01 EDT
selinux-policy-3.10.0-149.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-149.fc17
Comment 12 Fedora Update System 2012-09-18 22:53:46 EDT
Package selinux-policy-3.10.0-149.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-149.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-14301/selinux-policy-3.10.0-149.fc17
then log in and leave karma (feedback).
Comment 13 Fedora Update System 2012-09-21 19:57:58 EDT
selinux-policy-3.10.0-149.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.