So I'm trying to get denyhosts updated to use systemd to keep it from being kicked out of the distribution, and I'm running into an odd problem that at the end comes down to selinux.
denyhosts wants the hostname in the environment when it starts up. (This lets it add the hostname to the subject of messages it sends.) The initscript used to do this but of course not with systemd so I need another method. Using /etc/sysconfig/network as an EnvironmentFile seems a terrible, horrible hack so I just fixed denyhosts to so it internally by just calling platform.node() (python if it's not obvious) at the appropriate place. Unfortunately selinux disallows this. I guess the policy needs to be opened a bit but I'm not sure how to do this properly or without compromising security.
- J<
Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read()) Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/31/2012 03:12 PM, Jason L Tibbitts III wrote:
So I'm trying to get denyhosts updated to use systemd to keep it from being kicked out of the distribution, and I'm running into an odd problem that at the end comes down to selinux.
denyhosts wants the hostname in the environment when it starts up. (This lets it add the hostname to the subject of messages it sends.) The initscript used to do this but of course not with systemd so I need another method. Using /etc/sysconfig/network as an EnvironmentFile seems a terrible, horrible hack so I just fixed denyhosts to so it internally by just calling platform.node() (python if it's not obvious) at the appropriate place. Unfortunately selinux disallows this. I guess the policy needs to be opened a bit but I'm not sure how to do this properly or without compromising security.
- J<
Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read()) Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I just added rules to allow this access. Do you need this in F16 or just Rawhide?
"DJW" == Daniel J Walsh dwalsh@redhat.com writes:
DJW> I just added rules to allow this access.
For reference, could you let me know what you changed? I'm curious if it was more than just:
allow denyhosts_t self:fifo_file { read getattr }; allow denyhosts_t shell_exec_t:file execute;
To be honest I don't really know what turning those on implies.
DJW> Do you need this in F16 or just Rawhide?
Just rawhide; can't switch over to systemd within a release. Though if I get the rules you added I'll drop a custom policy with them on my F16 test box.
- J<
It just wants to corecmd_exec_shell(denyhosts_t) and allow denyhosts_t self:fifo_file r_fifo_file_perms;
If that is all then i do not see much of a problem with this?
On Tue, 2012-01-31 at 14:12 -0600, Jason L Tibbitts III wrote:
So I'm trying to get denyhosts updated to use systemd to keep it from being kicked out of the distribution, and I'm running into an odd problem that at the end comes down to selinux.
denyhosts wants the hostname in the environment when it starts up. (This lets it add the hostname to the subject of messages it sends.) The initscript used to do this but of course not with systemd so I need another method. Using /etc/sysconfig/network as an EnvironmentFile seems a terrible, horrible hack so I just fixed denyhosts to so it internally by just calling platform.node() (python if it's not obvious) at the appropriate place. Unfortunately selinux disallows this. I guess the policy needs to be opened a bit but I'm not sure how to do this properly or without compromising security.
- J<
Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read()) Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
time->Tue Jan 31 13:58:16 2012 type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
<snip>
Those rules are not a security risk. Basically they say one process can talk to another process running as denyhosts_t using inherited fifo_files.
It also allows denyhosts_t to execute /bin/sh within the same context. Which is also not a problem.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Jason L Tibbitts III