Bug 875424 - SELinux is preventing /usr/libexec/colord-sane from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/libexec/colord-sane from 'name_connect' accesses o...
Status: CLOSED DUPLICATE of bug 858714
Product: Fedora
Classification: Fedora
Component: colord (Show other bugs)
17
i686 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Richard Hughes
Fedora Extras Quality Assurance
abrt_hash:bfeeb018dad69fb964a9ee40ca3...
:
: 875423 875425 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-11 00:36 EST by Anthony Vidas
Modified: 2013-04-24 06:36 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-04-24 06:36:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-11-11 00:36 EST, Anthony Vidas
no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-11-11 00:36 EST, Anthony Vidas
no flags Details

  None (edit)
Description Anthony Vidas 2012-11-11 00:36:30 EST
Additional info:
libreport version: 2.0.18
kernel:         3.6.6-1.fc17.i686

description:
:SELinux is preventing /usr/libexec/colord-sane from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin connect_ports (99.5 confidence) suggests  **********************
:
:If you want to allow /usr/libexec/colord-sane to connect to network port 8822
:Then you need to modify the port type.
:Do
:# semanage port -a -t PORT_TYPE -p tcp 8822
:    where PORT_TYPE is one of the following: dns_port_t, ipp_port_t, dns_port_t, ocsp_port_t, kerberos_port_t.
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If you believe that colord-sane should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep colord-sane /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:colord_t:s0
:Target Context                system_u:object_r:unreserved_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        colord-sane
:Source Path                   /usr/libexec/colord-sane
:Port                          8822
:Host                          (removed)
:Source RPM Packages           colord-0.1.23-1.fc17.i686
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-156.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.6-1.fc17.i686 #1 SMP Mon Nov 5
:                              22:11:18 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    2012-11-11 00:34:17 EST
:Last Seen                     2012-11-11 00:34:24 EST
:Local ID                      f72c3f29-8100-4491-9226-a161a1f41a5d
:
:Raw Audit Messages
:type=AVC msg=audit(1352612064.943:69): avc:  denied  { name_connect } for  pid=1291 comm="colord-sane" dest=8822 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
:
:
:type=SYSCALL msg=audit(1352612064.943:69): arch=i386 syscall=socketcall success=no exit=ECONNREFUSED a0=3 a1=bfde8c98 a2=b58ff83c a3=0 items=0 ppid=1 pid=1291 auid=4294967295 uid=997 gid=994 euid=997 suid=997 fsuid=997 egid=994 sgid=994 fsgid=994 tty=(none) ses=4294967295 comm=colord-sane exe=/usr/libexec/colord-sane subj=system_u:system_r:colord_t:s0 key=(null)
:
:Hash: colord-sane,colord_t,unreserved_port_t,tcp_socket,name_connect
:
:audit2allow
:
:#============= colord_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow colord_t unreserved_port_t:tcp_socket name_connect;
:
:audit2allow -R
:
:#============= colord_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow colord_t unreserved_port_t:tcp_socket name_connect;
:
Comment 1 Anthony Vidas 2012-11-11 00:36:33 EST
Created attachment 642584 [details]
File: type
Comment 2 Anthony Vidas 2012-11-11 00:36:35 EST
Created attachment 642585 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-11-12 08:42:31 EST
This is a problem with colord-sane which needs a lot of accesses. If you see just this AVC msg and you need to make this working then just add it as local policy.

# grep colord-sane /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 4 Miroslav Grepl 2012-11-12 08:42:47 EST
*** Bug 875423 has been marked as a duplicate of this bug. ***
Comment 5 Miroslav Grepl 2012-11-12 08:42:57 EST
*** Bug 875425 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Walsh 2012-11-12 14:51:19 EST
We probably should dontaudit these.
Comment 7 Richard Hughes 2013-04-24 06:36:14 EDT

*** This bug has been marked as a duplicate of bug 858714 ***

Note You need to log in before you can comment on or make changes to this bug.