Issue with updating denyhosts to use systemd

Daniel J Walsh dwalsh at redhat.com
Tue Jan 31 20:22:11 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/31/2012 03:12 PM, Jason L Tibbitts III wrote:
> So I'm trying to get denyhosts updated to use systemd to keep it
> from being kicked out of the distribution, and I'm running into an
> odd problem that at the end comes down to selinux.
> 
> denyhosts wants the hostname in the environment when it starts up. 
> (This lets it add the hostname to the subject of messages it
> sends.) The initscript used to do this but of course not with
> systemd so I need another method.  Using /etc/sysconfig/network as
> an EnvironmentFile seems a terrible, horrible hack so I just fixed
> denyhosts to so it internally by just calling platform.node()
> (python if it's not obvious) at the appropriate place.
> Unfortunately selinux disallows this.  I guess the policy needs to
> be opened a bit but I'm not sure how to do this properly or without
> compromising security.
> 
> - J<
> 
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent
> call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File
> "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93
> denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31
> 13:58:16 ld93 denyhosts.py[1785]: File
> "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31
> 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16
> ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py",
> line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
> processor = _syscmd_uname('-p','') Jan 31 13:58:16 ld93
> denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line
> 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
> output = string.strip(f.read()) Jan 31 13:58:16 ld93
> denyhosts.py[1785]: IOError: [Errno 13] Permission denied
> 
> 
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0
> ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18367): avc:  denied
> { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- 
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1
> pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18368): avc:  denied
> { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- 
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18369): arch=c000003e syscall=59
> success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0
> a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python"
> subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC
> msg=audit(1328039896.475:18369): avc:  denied  { execute } for
> pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466
> scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file ---- 
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0
> ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18370): avc:  denied
> { getattr } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ---- 
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no
> exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18371): avc:  denied
> { read } for  pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
> 
> -- selinux mailing list selinux at lists.fedoraproject.org 
> https://admin.fedoraproject.org/mailman/listinfo/selinux

I just added rules to allow this access.  Do you need this in F16 or
just Rawhide?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8oTXMACgkQrlYvE4MpobNtMwCfWgP1qdlliw1N1V8XPt6vH2Mu
raQAoM674ux3S1t8SbKsGgC169mmfygD
=5tEV
-----END PGP SIGNATURE-----

More information about the selinux mailing list