I hit this when connecting to a VNC session via SSH port forwarding:
Dec 03 18:25:54 omiday.can.local audit[2665]: AVC avc: denied { name_connect
} for pid=2665 comm="sshd" dest=5901
scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket permissive=1
Dec 03 18:25:57 omiday.can.local dbus-daemon[5699]: [system] Activating service
name='org.fedoraproject.Setroubleshootd' requested by ':1.147' (uid=0 pid=5650
comm="/usr/sbin/sedispatch " label="system_u:system_r:audisp_t:s0") (using
servicehelper)
Dec 03 18:25:58 omiday.can.local dbus-daemon[5699]: [system] Successfully
activated service 'org.fedoraproject.Setroubleshootd'
Dec 03 18:25:58 omiday.can.local setroubleshoot[22291]: SELinux is preventing
sshd from name_connect access on the tcp_socket port 5901. For complete SELinux
messages. run sealert -l 208a9002-1dee-43dc-b50a-d37538df836a
Dec 03 18:25:58 omiday.can.local python3[22291]: SELinux is preventing sshd
from name_connect access on the tcp_socket port 5901.
***** Plugin catchall (100.
confidence) suggests **************************
If you believe that sshd
should be allowed name_connect access on the port 5901 tcp_socket by default.
Then you should report this as
a bug.
You can generate a local
policy module to allow this access.
Do
allow this access for now by
executing:
# ausearch -c 'sshd' --raw |
audit2allow -M my-sshd
# semodule -X 300 -i my-sshd.pp
If it's a bug I can file it in Bugzilla.
Thanks.
--
Viorel
_______________________________________________
test mailing list -- test@lists.fedoraproject.org
To unsubscribe send an email to test-le...@lists.fedoraproject.org
