Additional info: libreport version: 2.0.18 kernel: 3.6.6-1.fc17.i686 description: :SELinux is preventing /usr/libexec/colord-sane from 'name_connect' accesses on the tcp_socket . : :***** Plugin connect_ports (99.5 confidence) suggests ********************** : :If you want to allow /usr/libexec/colord-sane to connect to network port 8822 :Then you need to modify the port type. :Do :# semanage port -a -t PORT_TYPE -p tcp 8822 : where PORT_TYPE is one of the following: dns_port_t, ipp_port_t, dns_port_t, ocsp_port_t, kerberos_port_t. : :***** Plugin catchall (1.49 confidence) suggests *************************** : :If you believe that colord-sane should be allowed name_connect access on the tcp_socket by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep colord-sane /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:colord_t:s0 :Target Context system_u:object_r:unreserved_port_t:s0 :Target Objects [ tcp_socket ] :Source colord-sane :Source Path /usr/libexec/colord-sane :Port 8822 :Host (removed) :Source RPM Packages colord-0.1.23-1.fc17.i686 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-156.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.6.6-1.fc17.i686 #1 SMP Mon Nov 5 : 22:11:18 UTC 2012 i686 i686 :Alert Count 2 :First Seen 2012-11-11 00:34:17 EST :Last Seen 2012-11-11 00:34:24 EST :Local ID f72c3f29-8100-4491-9226-a161a1f41a5d : :Raw Audit Messages :type=AVC msg=audit(1352612064.943:69): avc: denied { name_connect } for pid=1291 comm="colord-sane" dest=8822 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket : : :type=SYSCALL msg=audit(1352612064.943:69): arch=i386 syscall=socketcall success=no exit=ECONNREFUSED a0=3 a1=bfde8c98 a2=b58ff83c a3=0 items=0 ppid=1 pid=1291 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=colord-sane exe=/usr/libexec/colord-sane subj=system_u:system_r:colord_t:s0 key=(null) : :Hash: colord-sane,colord_t,unreserved_port_t,tcp_socket,name_connect : :audit2allow : :#============= colord_t ============== :#!!!! This avc can be allowed using the boolean 'allow_ypbind' : :allow colord_t unreserved_port_t:tcp_socket name_connect; : :audit2allow -R : :#============= colord_t ============== :#!!!! This avc can be allowed using the boolean 'allow_ypbind' : :allow colord_t unreserved_port_t:tcp_socket name_connect; :
Created attachment 642584 [details] File: type
Created attachment 642585 [details] File: hashmarkername
This is a problem with colord-sane which needs a lot of accesses. If you see just this AVC msg and you need to make this working then just add it as local policy. # grep colord-sane /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
*** Bug 875423 has been marked as a duplicate of this bug. ***
*** Bug 875425 has been marked as a duplicate of this bug. ***
We probably should dontaudit these.
*** This bug has been marked as a duplicate of bug 858714 ***