-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/31/2012 03:12 PM, Jason L Tibbitts III wrote:
So I'm trying to get denyhosts updated to use systemd to keep it
from being kicked out of the distribution, and I'm running into an
odd problem that at the end comes down to selinux.
denyhosts wants the hostname in the environment when it starts up.
(This lets it add the hostname to the subject of messages it
sends.) The initscript used to do this but of course not with
systemd so I need another method. Using /etc/sysconfig/network as
an EnvironmentFile seems a terrible, horrible hack so I just fixed
denyhosts to so it internally by just calling platform.node()
(python if it's not obvious) at the appropriate place.
Unfortunately selinux disallows this. I guess the policy needs to
be opened a bit but I'm not sure how to do this properly or without
compromising security.
- J<
Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent
call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File
"/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93
denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31
13:58:16 ld93 denyhosts.py[1785]: File
"/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31
13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16
ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py",
line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93
denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line
1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
output = string.strip(f.read()) Jan 31 13:58:16 ld93
denyhosts.py[1785]: IOError: [Errno 13] Permission denied
time->Tue Jan 31 13:58:16 2012 type=SYSCALL
msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no
exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0
ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied
{ getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
time->Tue Jan 31 13:58:16 2012 type=SYSCALL
msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no
exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1
pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied
{ getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
time->Tue Jan 31 13:58:16 2012 type=SYSCALL
msg=audit(1328039896.475:18369): arch=c000003e syscall=59
success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0
a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python"
subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC
msg=audit(1328039896.475:18369): avc: denied { execute } for
pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466
scontext=system_u:system_r:denyhosts_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ----
time->Tue Jan 31 13:58:16 2012 type=SYSCALL
msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no
exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0
ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied
{ getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
time->Tue Jan 31 13:58:16 2012 type=SYSCALL
msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no
exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied
{ read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added rules to allow this access. Do you need this in F16 or
just Rawhide?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org/
iEYEARECAAYFAk8oTXMACgkQrlYvE4MpobNtMwCfWgP1qdlliw1N1V8XPt6vH2Mu
raQAoM674ux3S1t8SbKsGgC169mmfygD
=5tEV
-----END PGP SIGNATURE-----