libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.4.5-2.fc17.x86_64 time: ven. 20 juil. 2012 21:02:12 CEST description: :SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket . : :***** Plugin catchall_boolean (89.3 confidence) suggests ******************* : :If you want to allow polipo to connect to all ports > 1023 :Then you must tell SELinux about this by enabling the 'polipo_connect_all_unreserved' boolean.You can read 'tor_selinux' man page for more details. :Do :setsebool -P polipo_connect_all_unreserved 1 : :***** Plugin catchall (11.6 confidence) suggests *************************** : :If you believe that polipo should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep polipo /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:polipo_t:s0 :Target Context system_u:object_r:tor_socks_port_t:s0 :Target Objects [ tcp_socket ] :Source polipo :Source Path /usr/bin/polipo :Port 9050 :Host (removed) :Source RPM Packages polipo-1.0.4.1-7.fc17.x86_64 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-140.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.4.5-2.fc17.x86_64 : #1 SMP Mon Jul 16 20:52:08 UTC 2012 x86_64 x86_64 :Alert Count 1 :First Seen ven. 20 juil. 2012 21:01:07 CEST :Last Seen ven. 20 juil. 2012 21:01:07 CEST :Local ID b66d665a-12a9-468b-8b99-8ee6f2655b2a : :Raw Audit Messages :type=AVC msg=audit(1342810867.420:158): avc: denied { name_connect } for pid=5175 comm="polipo" dest=9050 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:tor_socks_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1342810867.420:158): arch=x86_64 syscall=connect success=no exit=EACCES a0=2 a1=7fff9ed7d000 a2=10 a3=7fff9ed7cd90 items=0 ppid=1 pid=5175 auid=4294967295 uid=104 gid=487 euid=104 suid=104 fsuid=104 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null) : :Hash: polipo,polipo_t,tor_socks_port_t,tcp_socket,name_connect : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
Is this a default setup? Should polipo be allowed to connect to port 9050 out of the box, or is this a locak customization. Looks like there is a boolean to allow this access.. setsebool -P polipo_connect_all_unreserved 1
That's not the default setup, I have added the part to connect to socks in polipo config ( following the man pages, but all result of "tor polipo" on the web give the same instruction like this one https://wiki.archlinux.org/index.php/Polipo#Tor ). For tor, that's the default setup And that's the default port of tor ( despites what tor_selinux say about it being another one ). I didn't see the message about man tor_selinux in the assistant ( shame on me, I directly read the AVC :/ ), but this seems incorrect ( ie, that should be polipo_selinux, not tor_selinux ). I do not know if my usage is common enough to warrant poking a hole in selinux policy, but i think letting polipo_t open a socket to tor_socks_port_t would not cause lots of problem. Probability that someone run tor in the default configuration and run polipo at the same time and not wanting them to communicate is pretty low, IMHO.
Turn on the boolean and I will fix the man page.
It loosk more as setroubleshoot-plugins bug.
I believe it has been fixed in F17.
I still see this error message in F18.
Paulo please attach your avc messages.
I've switched to privoxy and installed polipo again, and can't see this error anymore.