Bug 873719 - SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'name_connect' accesses on the tcp_socket .
Summary: SELinux is preventing /opt/google/talkplugin/GoogleTalkPlugin from 'name_conn...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 17
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:a26503f8f131cd5136d08313640...
: 873720 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-11-06 14:46 UTC by bolgrom
Modified: 2012-11-07 21:25 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-11-07 21:25:07 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-06 14:46 UTC, bolgrom 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-06 14:46 UTC, bolgrom 		no flags Details
View All

Description bolgrom 2012-11-06 14:46:17 UTC 
Description of problem:
Google Talk Plugin
allow name_connect get access to tcp_socket


Additional info:
libreport version: 2.0.16
kernel:         3.6.3-1.fc17.x86_64
Comment 1 bolgrom 2012-11-06 14:46:20 UTC 
Created attachment 639401 [details]
File: type
Comment 2 bolgrom 2012-11-06 14:46:22 UTC 
Created attachment 639402 [details]
File: hashmarkername
Comment 3 Daniel Walsh 2012-11-06 16:46:41 UTC 
*** Bug 873720 has been marked as a duplicate of this bug. ***
Comment 4 Daniel Walsh 2012-11-06 16:47:23 UTC 
Could you attach the AVC information.
Comment 5 bolgrom 2012-11-06 17:35:59 UTC 
Hello, thank you for dealing with this ticket.
Is this the information you need? I got it from the SELinux window:

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:openvpn_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        GoogleTalkPlugi
Source Path                   /opt/google/talkplugin/GoogleTalkPlugin
Port                          1194
Host                          localhost.localdomain
Source RPM Packages           google-talkplugin-3.9.1.0-1.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 3.6.3-1.fc17.x86_64 #1
                              SMP Mon Oct 22 15:32:35 UTC 2012 x86_64 x86_64
Alert Count                   1
First Seen                    2012-11-05 20:01:37 CET
Last Seen                     2012-11-05 20:01:37 CET
Local ID                      bc1df1d0-4a24-42e3-af7b-b570cf165929

Raw Audit Messages
type=AVC msg=audit(1352142097.729:395): avc:  denied  { name_connect } for  pid=31242 comm="GoogleTalkPlugi" dest=1194 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:openvpn_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1352142097.729:395): arch=x86_64 syscall=connect success=no exit=EACCES a0=3a a1=7f880bffcfb0 a2=10 a3=f0 items=0 ppid=1 pid=31242 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=1 comm=GoogleTalkPlugi exe=/opt/google/talkplugin/GoogleTalkPlugin subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: GoogleTalkPlugi,mozilla_plugin_t,openvpn_port_t,tcp_socket,name_connect

audit2allow

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t openvpn_port_t:tcp_socket name_connect;

audit2allow -R

#============= mozilla_plugin_t ==============
allow mozilla_plugin_t openvpn_port_t:tcp_socket name_connect;
Comment 6 bolgrom 2012-11-06 17:37:36 UTC 
(In reply to comment #4)
> Could you attach the AVC information.

I hit "Reply" so that you could see that I posted a comment.
Comment 7 Daniel Walsh 2012-11-06 18:35:58 UTC 
Did GoolgeTalk work properly?  IE Other then this AVC showing up, did you notice anyproblems?
Comment 8 bolgrom 2012-11-06 19:42:10 UTC 
(In reply to comment #7)
> Did GoolgeTalk work properly?  IE Other then this AVC showing up, did you
> notice anyproblems?

Google Talk works properly, although sometimes there is no sound. In this case I go to chat settings and change sound settings from analog speakers to standard and back to analog speakers. and then it works. but it occurs only from time to time. and it doesn't work properly with empathy, only on the website.
Comment 9 Miroslav Grepl 2012-11-07 12:11:50 UTC 
Are you able to re-create this AVC?
Comment 10 bolgrom 2012-11-07 19:33:27 UTC 
(In reply to comment #9)
> Are you able to re-create this AVC?

Sorry I don't know how to do this.
Comment 11 Daniel Walsh 2012-11-07 20:17:51 UTC 
Can you get the error to happen again?
Comment 12 bolgrom 2012-11-07 20:43:30 UTC 
No, I tried videochat in GMail, Google+ and Empathy, but it didn't happen. Although the quality of video and sound in Empathy was worse and video went on and off.
But I couldn't make the bug happen again. Can it be because the kernel was updated?
Comment 13 Daniel Walsh 2012-11-07 21:25:07 UTC 
No most likely you went to a web site that triggered a connection to tcp port 1194.  I am going to close this and see if it happens again, to another user.  This port is usually used for vpns. So I am not anxious to open it up.
Note You need to log in before you can comment on or make changes to this bug.