Bug 841985 - SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot-plugins (Show other bugs)
17
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
abrt_hash:e1a3b68a511ca213f34827b7cb1...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-20 15:04 EDT by Michael Scherer
Modified: 2013-07-24 12:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-14 06:07:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Scherer 2012-07-20 15:04:33 EDT
libreport version: 2.0.10
executable:     /usr/bin/python2.7
hashmarkername: setroubleshoot
kernel:         3.4.5-2.fc17.x86_64
time:           ven. 20 juil. 2012 21:02:12 CEST

description:
:SELinux is preventing /usr/bin/polipo from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************
:
:If you want to allow polipo to connect to all ports > 1023
:Then you must tell SELinux about this by enabling the 'polipo_connect_all_unreserved' boolean.You can read 'tor_selinux' man page for more details.
:Do
:setsebool -P polipo_connect_all_unreserved 1
:
:*****  Plugin catchall (11.6 confidence) suggests  ***************************
:
:If you believe that polipo should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep polipo /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:polipo_t:s0
:Target Context                system_u:object_r:tor_socks_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        polipo
:Source Path                   /usr/bin/polipo
:Port                          9050
:Host                          (removed)
:Source RPM Packages           polipo-1.0.4.1-7.fc17.x86_64
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-140.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed) 3.4.5-2.fc17.x86_64
:                              #1 SMP Mon Jul 16 20:52:08 UTC 2012 x86_64 x86_64
:Alert Count                   1
:First Seen                    ven. 20 juil. 2012 21:01:07 CEST
:Last Seen                     ven. 20 juil. 2012 21:01:07 CEST
:Local ID                      b66d665a-12a9-468b-8b99-8ee6f2655b2a
:
:Raw Audit Messages
:type=AVC msg=audit(1342810867.420:158): avc:  denied  { name_connect } for  pid=5175 comm="polipo" dest=9050 scontext=system_u:system_r:polipo_t:s0 tcontext=system_u:object_r:tor_socks_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1342810867.420:158): arch=x86_64 syscall=connect success=no exit=EACCES a0=2 a1=7fff9ed7d000 a2=10 a3=7fff9ed7cd90 items=0 ppid=1 pid=5175 auid=4294967295 uid=104 gid=487 euid=104 suid=104 fsuid=104 egid=487 sgid=487 fsgid=487 tty=(none) ses=4294967295 comm=polipo exe=/usr/bin/polipo subj=system_u:system_r:polipo_t:s0 key=(null)
:
:Hash: polipo,polipo_t,tor_socks_port_t,tcp_socket,name_connect
:
:audit2allowunable to open /sys/fs/selinux/policy:  Permission denied
:
:
:audit2allow -Runable to open /sys/fs/selinux/policy:  Permission denied
:
:
Comment 1 Daniel Walsh 2012-07-20 17:23:48 EDT
Is this a default setup?  Should polipo be allowed to connect to port 9050 out of the box, or is this a locak customization.

Looks like there is a boolean to allow this access..

setsebool -P polipo_connect_all_unreserved 1
Comment 2 Michael Scherer 2012-07-20 19:56:54 EDT
That's not the default setup, I have added the part to connect to socks in polipo config ( following the man pages, but all result of "tor polipo" on the web give the same instruction like this one https://wiki.archlinux.org/index.php/Polipo#Tor ). 

For tor, that's the default setup And that's the default port of tor ( despites what tor_selinux say about it being another one ). 


I didn't see the message about man tor_selinux in the assistant ( shame on me, I directly read the AVC :/ ), but this seems incorrect ( ie, that should be polipo_selinux, not tor_selinux ).

I do not know if my usage is common enough to warrant poking a hole in selinux policy, but i think letting polipo_t open a socket to tor_socks_port_t would not cause lots of problem. Probability that someone run tor in the default configuration and run polipo at the same time and not wanting them to communicate is pretty low, IMHO.
Comment 3 Daniel Walsh 2012-07-23 10:35:40 EDT
Turn on the boolean and I will fix the man page.
Comment 4 Miroslav Grepl 2012-07-24 06:56:14 EDT
It loosk more as setroubleshoot-plugins bug.
Comment 6 Miroslav Grepl 2013-01-14 06:07:25 EST
I believe it has been fixed in F17.
Comment 7 Paulo Fidalgo 2013-03-30 17:04:43 EDT
I still see this error message in F18.
Comment 8 Daniel Walsh 2013-04-01 09:26:39 EDT
Paulo please attach your avc messages.
Comment 9 Paulo Fidalgo 2013-07-24 12:07:56 EDT
I've switched to privoxy and installed polipo again, and can't see this error anymore.

Note You need to log in before you can comment on or make changes to this bug.