I hit this when connecting to a VNC session via SSH port forwarding:
Dec 03 18:25:54 omiday.can.local audit[2665]: AVC avc: denied { name_connect } for
pid=2665 comm="sshd" dest=5901 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:vnc_port_t:s0 tclass=tcp_socket permissive=1
Dec 03 18:25:57 omiday.can.local dbus-daemon[5699]: [system] Activating service
name='org.fedoraproject.Setroubleshootd' requested by ':1.147' (uid=0
pid=5650 comm="/usr/sbin/sedispatch "
label="system_u:system_r:audisp_t:s0") (using servicehelper)
Dec 03 18:25:58 omiday.can.local dbus-daemon[5699]: [system] Successfully activated
service 'org.fedoraproject.Setroubleshootd'
Dec 03 18:25:58 omiday.can.local setroubleshoot[22291]: SELinux is preventing sshd from
name_connect access on the tcp_socket port 5901. For complete SELinux messages. run
sealert -l 208a9002-1dee-43dc-b50a-d37538df836a
Dec 03 18:25:58 omiday.can.local python3[22291]: SELinux is preventing sshd from
name_connect access on the tcp_socket port 5901.
***** Plugin catchall (100. confidence)
suggests **************************
If you believe that sshd should be
allowed name_connect access on the port 5901 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to
allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd' --raw |
audit2allow -M my-sshd
# semodule -X 300 -i my-sshd.pp
If it's a bug I can file it in Bugzilla.
Thanks.
--
Viorel
Show replies by date