Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1030520
| Summary: | SELinux is preventing /usr/bin/totem-video-thumbnailer from 'name_connect' accesses on the tcp_socket . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Angel Carrasco <mc.claren> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:1b44412b5a3871960e28683668f6fb918a73698610947b4e30f1187228f0399e | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-18 18:11:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is not something we want to allow or would recommend that you allow. Basically just running nautilus on this image is causing the process to attempt a connection to a remote site. I don't think this is something you should allow. |
Description of problem: SELinux is preventing /usr/bin/totem-video-thumbnailer from 'name_connect' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests *************************** If cree que de manera predeterminada, totem-video-thumbnailer debería permitir acceso name_connect sobre tcp_socket. Then debería reportar esto como un error. Puede generar un módulo de política local para permitir este acceso. Do permita el acceso momentáneamente executando: # grep souphttpsrc0:sr /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 Target Context system_u:object_r:http_port_t:s0 Target Objects [ tcp_socket ] Source souphttpsrc0:sr Source Path /usr/bin/totem-video-thumbnailer Port 80 Host (removed) Source RPM Packages totem-3.8.2-1.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.11.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.11.7-200.fc19.x86_64 #1 SMP Mon Nov 4 14:09:03 UTC 2013 x86_64 x86_64 Alert Count 2 First Seen 2013-11-14 09:42:00 CST Last Seen 2013-11-14 09:42:00 CST Local ID 911a32df-9f80-4e03-b912-dda731eb924b Raw Audit Messages type=AVC msg=audit(1384443720.607:528): avc: denied { name_connect } for pid=5491 comm="souphttpsrc0:sr" dest=80 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1384443720.607:528): arch=x86_64 syscall=connect success=no exit=EACCES a0=c a1=7f6b2d0cd4f0 a2=10 a3=0 items=0 ppid=5399 pid=5491 auid=1000 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 ses=1 tty=(none) comm=souphttpsrc0:sr exe=/usr/bin/totem-video-thumbnailer subj=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 key=(null) Hash: souphttpsrc0:sr,thumb_t,http_port_t,tcp_socket,name_connect Additional info: reporter: libreport-2.1.9 hashmarkername: setroubleshoot kernel: 3.11.7-200.fc19.x86_64 type: libreport