Re: Issue with updating denyhosts to use systemd

So I'm trying to get denyhosts updated to use systemd to keep it from being kicked out of the distribution, and I'm running into an odd problem that at the end comes down to selinux. denyhosts wants the hostname in the environment when it starts up. (This lets it add the hostname to the subject of messages it sends.) The initscript used to do this but of course not with systemd so I need another method. Using /etc/sysconfig/network as an EnvironmentFile seems a terrible, horrible hack so I just fixed denyhosts to so it internally by just calling platform.node() (python if it's not obvious) at the appropriate place. Unfortunately selinux disallows this. I guess the policy needs to be opened a bit but I'm not sure how to do this properly or without compromising security. - J< Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read()) Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file -- selinux mailing list selinux(a)lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8oTXMACgkQrlYvE4MpobNtMwCfWgP1qdlliw1N1V8XPt6vH2Mu raQAoM674ux3S1t8SbKsGgC169mmfygD =5tEV -----END PGP SIGNATURE-----