Bug 972485 - SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' ac...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:e43ccb947bad824baf3a9928194...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-09 14:02 EDT by Francisco de la Peña
Modified: 2013-06-12 03:59 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-06-12 03:59:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Francisco de la Peña 2013-06-09 14:02:36 EDT
Description of problem:
When trying to load embedded web video
SELinux is preventing /usr/libexec/totem-plugin-viewer from 'name_connect' accesses on the tcp_socket .

*****  Plugin connect_ports (52.5 confidence) suggests  **********************

If you want to allow /usr/libexec/totem-plugin-viewer to connect to network port 182
Then you need to modify the port type.
Do
# semanage port -a -t TIPO_DE_PUERTO -p tcp 182</b>
    donde TIPO_DE_PUERTO es uno de los siguientes: asterisk_port_t, certmaster_port_t, cluster_port_t, commplex_link_port_t, couchdb_port_t, cyphesis_port_t, dns_port_t, ephemeral_port_t, flash_port_t, ftp_port_t, gatekeeper_port_t, hadoop_datanode_port_t, hplip_port_t, http_cache_port_t, http_port_t, ipp_port_t, ipsecnat_port_t, ircd_port_t, jabber_client_port_t, kerberos_port_t, keystone_port_t, matahari_port_t, mmcc_port_t, monopd_port_t, ms_streaming_port_t, msnp_port_t, ocsp_port_t, port_t, postgrey_port_t, pulseaudio_port_t, rtsp_port_t, soundd_port_t, speech_port_t, squid_port_t, tor_port_t, transproxy_port_t, unreserved_port_t, virt_migration_port_t, vnc_port_t.    

*****  Plugin mozplugger (39.5 confidence) suggests  *************************

If usted desea usar el paquete plugin
Then debe deshabilitar los controles de SELinux en los complementos de Firefox.
Do
# setsebool unconfined_mozilla_plugin_transition 0

*****  Plugin catchall_boolean (4.66 confidence) suggests  *******************

If desea allow mozilla plugin domain to connect to the network using TCP.
Then usted debe decir a SELinux sobre esto habilitando el booleano 'mozilla_plugin_can_network_connect'.
Puede leer la página man de 'mozilla_selinux' para más detalles.
Do
setsebool -P mozilla_plugin_can_network_connect 1

*****  Plugin catchall_boolean (4.66 confidence) suggests  *******************

If desea allow system to run with NIS
Then usted debe decir a SELinux sobre esto habilitando el booleano 'nis_enabled'.
Puede leer la página man de 'mozilla_selinux' para más detalles.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.02 confidence) suggests  ***************************

If cree que de manera predeterminada, totem-plugin-viewer debería permitir acceso name_connect sobre   tcp_socket.     
Then debería reportar esto como un error.
Puede generar un módulo de política local para permitir este acceso.
Do
permita el acceso momentáneamente executando:
# grep source:src /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
                              0.c1023
Target Context                system_u:object_r:reserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        source:src
Source Path                   /usr/libexec/totem-plugin-viewer
Port                          182
Host                          (removed)
Source RPM Packages           totem-mozplugin-3.8.2-1.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-48.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.9.4-301.fc19.x86_64 #1 SMP Tue
                              Jun 4 00:30:04 UTC 2013 x86_64 x86_64
Alert Count                   2
First Seen                    2013-06-02 13:17:39 CST
Last Seen                     2013-06-08 22:54:52 CST
Local ID                      566b991c-b7d1-48aa-8cde-3632f5e6510c

Raw Audit Messages
type=AVC msg=audit(1370753692.894:707): avc:  denied  { name_connect } for  pid=5887 comm="source:src" dest=182 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1370753692.894:707): arch=x86_64 syscall=connect success=no exit=EACCES a0=10 a1=7fa4035f94b0 a2=10 a3=0 items=0 ppid=1 pid=5887 auid=1000 uid=1000 gid=0 euid=1000 suid=1000 fsuid=1000 egid=0 sgid=0 fsgid=0 ses=1 tty=(none) comm=source:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)

Hash: source:src,mozilla_plugin_t,reserved_port_t,tcp_socket,name_connect

Additional info:
reporter:       libreport-2.1.4
hashmarkername: setroubleshoot
kernel:         3.9.4-301.fc19.x86_64
type:           libreport

Potential duplicate: bug 825417
Comment 1 Miroslav Grepl 2013-06-12 03:59:51 EDT
If desea allow mozilla plugin domain to connect to the network using TCP.
Then usted debe decir a SELinux sobre esto habilitando el booleano 'mozilla_plugin_can_network_connect'.
Puede leer la página man de 'mozilla_selinux' para más detalles.
Do
setsebool -P mozilla_plugin_can_network_connect 1

*****  Plugin catchall_boolean (4.66 confidence) suggest

Note You need to log in before you can comment on or make changes to this bug.