Issue with updating denyhosts to use systemd

Jason L Tibbitts III tibbs at math.uh.edu
Tue Jan 31 20:12:33 UTC 2012 

So I'm trying to get denyhosts updated to use systemd to keep it from
being kicked out of the distribution, and I'm running into an odd
problem that at the end comes down to selinux.

denyhosts wants the hostname in the environment when it starts up.
(This lets it add the hostname to the subject of messages it sends.)
The initscript used to do this but of course not with systemd so I need
another method.  Using /etc/sysconfig/network as an EnvironmentFile
seems a terrible, horrible hack so I just fixed denyhosts to so it
internally by just calling platform.node() (python if it's not obvious)
at the appropriate place.  Unfortunately selinux disallows this.  I
guess the policy needs to be opened a bit but I'm not sure how to do
this properly or without compromising security.

 - J<

Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last):
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module>
Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node()
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node
Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1]
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p','')
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read())
Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied


time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18367): avc:  denied  { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18368): avc:  denied  { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18369): avc:  denied  { execute } for  pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18370): avc:  denied  { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18371): avc:  denied  { read } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file

More information about the selinux mailing list