Red Hat Bugzilla – Bug 970789
SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .
Last modified: 2013-06-07 04:50:21 EDT
Description of problem: SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket . ***** Plugin connect_ports (52.5 confidence) suggests ********************** If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 182 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 182 where PORT_TYPE is one of the following: aol_port_t, asterisk_port_t, certmaster_port_t, cluster_port_t, commplex_port_t, couchdb_port_t, cyphesis_port_t, dns_port_t, ephemeral_port_t, flash_port_t, ftp_port_t, gatekeeper_port_t, hadoop_datanode_port_t, hplip_port_t, http_cache_port_t, http_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, jabber_client_port_t, jboss_management_port_t, kerberos_port_t, keystone_port_t, matahari_port_t, mmcc_port_t, monopd_port_t, msnp_port_t, ocsp_port_t, port_t, postgrey_port_t, pulseaudio_port_t, soundd_port_t, speech_port_t, squid_port_t, streaming_port_t, tor_socks_port_t, transproxy_port_t, unreserved_port_t, virt_migration_port_t, vnc_port_t. ***** Plugin mozplugger (39.5 confidence) suggests ************************* If you want to use the plugin package Then you must turn off SELinux controls on the Firefox plugins. Do # setsebool unconfined_mozilla_plugin_transition 0 ***** Plugin catchall_boolean (4.66 confidence) suggests ******************* If you want to allow mozilla plugin domain to connect to the network using TCP. Then you must tell SELinux about this by enabling the 'mozilla_plugin_can_network_connect' boolean. You can read 'mozilla_selinux' man page for more details. Do setsebool -P mozilla_plugin_can_network_connect 1 ***** Plugin catchall_boolean (4.66 confidence) suggests ******************* If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'mozilla_selinux' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (1.02 confidence) suggests *************************** If you believe that totem-plugin-viewer should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep source:src /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c 0.c1023 Target Context system_u:object_r:reserved_port_t:s0 Target Objects [ tcp_socket ] Source source:src Source Path /usr/libexec/totem-plugin-viewer Port 182 Host (removed) Source RPM Packages totem-mozplugin-3.6.3-2.fc18.x86_64 Target RPM Packages Policy RPM selinux-policy-3.11.1-97.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.4-200.fc18.x86_64 #1 SMP Fri May 24 20:10:49 UTC 2013 x86_64 x86_64 Alert Count 1 First Seen 2013-06-04 23:41:35 CEST Last Seen 2013-06-04 23:41:35 CEST Local ID 901b8fa3-4aa5-48dc-873f-31ea9ff862f6 Raw Audit Messages type=AVC msg=audit(1370382095.111:387): avc: denied { name_connect } for pid=20902 comm="source:src" dest=182 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1370382095.111:387): arch=x86_64 syscall=connect success=no exit=EACCES a0=17 a1=7f62bd082540 a2=10 a3=3381e05f3a items=0 ppid=1 pid=20902 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 ses=2 tty=(none) comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect audit2allow #============= mozilla_plugin_t ============== #!!!! This avc can be allowed using one of the these booleans: # mozilla_plugin_can_network_connect, nis_enabled allow mozilla_plugin_t reserved_port_t:tcp_socket name_connect; audit2allow -R require { type mozilla_plugin_t; } #============= mozilla_plugin_t ============== corenet_tcp_connect_reserved_port(mozilla_plugin_t) Additional info: reporter: libreport-2.1.4 hashmarkername: setroubleshoot kernel: 3.9.4-200.fc18.x86_64 type: libreport Potential duplicate: bug 825417
You can allow it using # setsebool -P mozilla_plugin_can_network_connect 1