Bug 853488 - SELinux is preventing /usr/libexec/polkit-1/polkitd from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/libexec/polkit-1/polkitd from 'name_connect' acces...
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-08-31 13:40 EDT by Eugene Kanter
Modified: 2013-04-15 15:52 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-04-15 15:52:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-08-31 13:41 EDT, Eugene Kanter
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-08-31 13:41 EDT, Eugene Kanter
no flags Details

  None (edit)
Description Eugene Kanter 2012-08-31 13:40:56 EDT
Additional info:
libreport version: 2.0.13
kernel:         3.5.2-3.fc17.x86_64

:SELinux is preventing /usr/libexec/polkit-1/polkitd from 'name_connect' accesses on the tcp_socket .
:*****  Plugin catchall (100. confidence) suggests  ***************************
:If you believe that polkitd should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:allow this access for now by executing:
:# grep polkitd /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:Additional Information:
:Source Context                system_u:system_r:policykit_t:s0-s0:c0.c1023
:Target Context                system_u:object_r:ephemeral_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        polkitd
:Source Path                   /usr/libexec/polkit-1/polkitd
:Port                          52818
:Host                          (removed)
:Source RPM Packages           polkit-0.104-6.fc17.x86_64
:                              polkit-0.104-6.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-146.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.5.2-3.fc17.x86_64 #1 SMP Tue Aug
:                              21 19:06:52 UTC 2012 x86_64 x86_64
:Alert Count                   6
:First Seen                    2012-08-31 12:35:37 EDT
:Last Seen                     2012-08-31 13:28:36 EDT
:Local ID                      af1002f3-28da-4d41-9282-c944fc4c8d89
:Raw Audit Messages
:type=AVC msg=audit(1346434116.873:182): avc:  denied  { name_connect } for  pid=886 comm="polkitd" dest=52818 scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 tcontext=system_u:object_r:ephemeral_port_t:s0 tclass=tcp_socket
:type=SYSCALL msg=audit(1346434116.873:182): arch=x86_64 syscall=connect success=yes exit=0 a0=b a1=7fffb48f7eb0 a2=10 a3=324 items=0 ppid=1 pid=886 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=polkitd exe=/usr/libexec/polkit-1/polkitd subj=system_u:system_r:policykit_t:s0-s0:c0.c1023 key=(null)
:Hash: polkitd,policykit_t,ephemeral_port_t,tcp_socket,name_connect
:#============= policykit_t ==============
:allow policykit_t ephemeral_port_t:tcp_socket name_connect;
:audit2allow -R
:#============= policykit_t ==============
:allow policykit_t ephemeral_port_t:tcp_socket name_connect;
Comment 1 Eugene Kanter 2012-08-31 13:41:00 EDT
Created attachment 608585 [details]
File: type
Comment 2 Eugene Kanter 2012-08-31 13:41:04 EDT
Created attachment 608586 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-09-03 04:23:15 EDT
Does it happen by default?
Comment 4 Eugene Kanter 2012-09-03 12:35:40 EDT
(In reply to comment #3)
> Does it happen by default?

I didn't understand this question. Please elaborate.
I found many instances of this error in the log.
Comment 5 Miroslav Grepl 2012-09-03 13:40:05 EDT
Did you setup anything?
Comment 6 Daniel Walsh 2012-09-06 23:36:10 EDT
Are you using nis?  ypbind?
Comment 7 Eugene Kanter 2013-03-06 19:33:32 EST
I am using NIS which includes ypbind.
Comment 8 Daniel Walsh 2013-03-07 11:44:10 EST
setsebool -P allow_ypbind 1

(On F18 you would execute setsebool -P nis_enabled 1)
Comment 9 Miloslav Trmač 2013-04-12 22:04:11 EDT
(In reply to comment #8)
> setsebool -P allow_ypbind 1
> (On F18 you would execute setsebool -P nis_enabled 1)

Eugene, does settting the above resolve the SELinux denial?
Comment 10 Eugene Kanter 2013-04-15 15:50:15 EDT
I usually configure all my systems the same way, with NIS enabled in firstboot.
Either firstboot failed to set allow_ypbind or it was some other glitch.
The error is no longer found in log files.
Comment 11 Miloslav Trmač 2013-04-15 15:52:26 EDT
Thank you, closing.

Note You need to log in before you can comment on or make changes to this bug.