Bug 888130 - SELinux is preventing netdiscovery from 'name_connect' accesses on the tcp_socket .
Summary: SELinux is preventing netdiscovery from 'name_connect' accesses on the tcp_so...
Keywords:
Status: CLOSED DUPLICATE of bug 858714
Alias: None
Product: Fedora
Classification: Fedora
Component: colord
Version: 17
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard Hughes
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:e9c14c50a821c5975bc79e6416e...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-18 03:43 UTC by Anthony Vidas
Modified: 2013-04-24 10:36 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-04-24 10:36:51 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
File: type (9 bytes, text/plain)
2012-12-18 03:43 UTC, Anthony Vidas 		no flags Details
File: hashmarkername (14 bytes, text/plain)
2012-12-18 03:43 UTC, Anthony Vidas 		no flags Details
View All

Description Anthony Vidas 2012-12-18 03:43:27 UTC 
Additional info:
libreport version: 2.0.18
kernel:         3.6.10-2.fc17.i686

description:
:SELinux is preventing netdiscovery from 'name_connect' accesses on the tcp_socket .
:
:*****  Plugin connect_ports (99.5 confidence) suggests  **********************
:
:If you want to allow netdiscovery to connect to network port 427
:Then you need to modify the port type.
:Do
:# semanage port -a -t PORT_TYPE -p tcp 427
:    where PORT_TYPE is one of the following: dns_port_t, dns_port_t, ipp_port_t, ocsp_port_t, kerberos_port_t.
:
:*****  Plugin catchall (1.49 confidence) suggests  ***************************
:
:If you believe that netdiscovery should be allowed name_connect access on the  tcp_socket by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep netdiscovery /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                system_u:system_r:colord_t:s0
:Target Context                system_u:object_r:reserved_port_t:s0
:Target Objects                 [ tcp_socket ]
:Source                        netdiscovery
:Source Path                   netdiscovery
:Port                          427
:Host                          (removed)
:Source RPM Packages           
:Target RPM Packages           
:Policy RPM                    selinux-policy-3.10.0-161.fc17.noarch
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Permissive
:Host Name                     (removed)
:Platform                      Linux (removed) 3.6.10-2.fc17.i686 #1 SMP Tue Dec
:                              11 18:33:15 UTC 2012 i686 i686
:Alert Count                   2
:First Seen                    2012-12-17 22:28:26 EST
:Last Seen                     2012-12-17 22:28:33 EST
:Local ID                      7ecd9d56-836f-466f-b38a-280038a1eb19
:
:Raw Audit Messages
:type=AVC msg=audit(1355801313.920:73): avc:  denied  { name_connect } for  pid=1599 comm="netdiscovery" dest=427 scontext=system_u:system_r:colord_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
:
:
:Hash: netdiscovery,colord_t,reserved_port_t,tcp_socket,name_connect
:
:audit2allow
:
:#============= colord_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow colord_t reserved_port_t:tcp_socket name_connect;
:
:audit2allow -R
:
:#============= colord_t ==============
:#!!!! This avc can be allowed using the boolean 'allow_ypbind'
:
:allow colord_t reserved_port_t:tcp_socket name_connect;
:


Potential duplicate bug: 741754
Comment 1 Anthony Vidas 2012-12-18 03:43:33 UTC 
Created attachment 665255 [details]
File: type
Comment 2 Anthony Vidas 2012-12-18 03:43:35 UTC 
Created attachment 665256 [details]
File: hashmarkername
Comment 3 Miroslav Grepl 2012-12-18 14:17:59 UTC 
What does netdiscovery exactly do? Does it want to connect to random ports?
Comment 4 Daniel Walsh 2012-12-18 14:56:46 UTC 
Is there any reason for colord to be running netdiscovery?
Comment 5 Richard Hughes 2013-04-24 10:36:51 UTC 

*** This bug has been marked as a duplicate of bug 858714 ***
Note You need to log in before you can comment on or make changes to this bug.