FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 01-31-2012, 07:12 PM
"Jason L Tibbitts III"
 
Default Issue with updating denyhosts to use systemd

So I'm trying to get denyhosts updated to use systemd to keep it from
being kicked out of the distribution, and I'm running into an odd
problem that at the end comes down to selinux.

denyhosts wants the hostname in the environment when it starts up.
(This lets it add the hostname to the subject of messages it sends.)
The initscript used to do this but of course not with systemd so I need
another method. Using /etc/sysconfig/network as an EnvironmentFile
seems a terrible, horrible hack so I just fixed denyhosts to so it
internally by just calling platform.node() (python if it's not obvious)
at the appropriate place. Unfortunately selinux disallows this. I
guess the policy needs to be opened a bit but I'm not sure how to do
this properly or without compromising security.

- J<

Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last):
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module>
Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node()
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node
Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1]
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p',')
Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname
Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read())
Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied


time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
----
time->Tue Jan 31 13:58:16 2012
type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-31-2012, 07:22 PM
Daniel J Walsh
 
Default Issue with updating denyhosts to use systemd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/31/2012 03:12 PM, Jason L Tibbitts III wrote:
> So I'm trying to get denyhosts updated to use systemd to keep it
> from being kicked out of the distribution, and I'm running into an
> odd problem that at the end comes down to selinux.
>
> denyhosts wants the hostname in the environment when it starts up.
> (This lets it add the hostname to the subject of messages it
> sends.) The initscript used to do this but of course not with
> systemd so I need another method. Using /etc/sysconfig/network as
> an EnvironmentFile seems a terrible, horrible hack so I just fixed
> denyhosts to so it internally by just calling platform.node()
> (python if it's not obvious) at the appropriate place.
> Unfortunately selinux disallows this. I guess the policy needs to
> be opened a bit but I'm not sure how to do this properly or without
> compromising security.
>
> - J<
>
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent
> call last): Jan 31 13:58:16 ld93 denyhosts.py[1785]: File
> "/usr/bin/denyhosts.py", line 113, in <module> Jan 31 13:58:16 ld93
> denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node() Jan 31
> 13:58:16 ld93 denyhosts.py[1785]: File
> "/usr/lib64/python2.7/platform.py", line 1292, in node Jan 31
> 13:58:16 ld93 denyhosts.py[1785]: return uname()[1] Jan 31 13:58:16
> ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py",
> line 1249, in uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
> processor = _syscmd_uname('-p',') Jan 31 13:58:16 ld93
> denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line
> 1005, in _syscmd_uname Jan 31 13:58:16 ld93 denyhosts.py[1785]:
> output = string.strip(f.read()) Jan 31 13:58:16 ld93
> denyhosts.py[1785]: IOError: [Errno 13] Permission denied
>
>
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0
> ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18367): avc: denied
> { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1
> pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18368): avc: denied
> { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18369): arch=c000003e syscall=59
> success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0
> a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python"
> subj=system_u:system_r:denyhosts_t:s0 key=(null) type=AVC
> msg=audit(1328039896.475:18369): avc: denied { execute } for
> pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466
> scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_ubject_r:shell_exec_t:s0 tclass=file ----
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no
> exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0
> ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18370): avc: denied
> { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file ----
> time->Tue Jan 31 13:58:16 2012 type=SYSCALL
> msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no
> exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py"
> exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0
> key=(null) type=AVC msg=audit(1328039896.475:18371): avc: denied
> { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]"
> dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0
> tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

I just added rules to allow this access. Do you need this in F16 or
just Rawhide?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8oTXMACgkQrlYvE4MpobNtMwCfWgP1qdlliw 1N1V8XPt6vH2Mu
raQAoM674ux3S1t8SbKsGgC169mmfygD
=5tEV
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-31-2012, 07:27 PM
"Jason L Tibbitts III"
 
Default Issue with updating denyhosts to use systemd

>>>>> "DJW" == Daniel J Walsh <dwalsh@redhat.com> writes:

DJW> I just added rules to allow this access.

For reference, could you let me know what you changed? I'm curious if
it was more than just:

allow denyhosts_t self:fifo_file { read getattr };
allow denyhosts_t shell_exec_t:file execute;

To be honest I don't really know what turning those on implies.

DJW> Do you need this in F16 or just Rawhide?

Just rawhide; can't switch over to systemd within a release. Though if
I get the rules you added I'll drop a custom policy with them on my F16
test box.

- J<
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-31-2012, 07:32 PM
Dominick Grift
 
Default Issue with updating denyhosts to use systemd

It just wants to corecmd_exec_shell(denyhosts_t) and allow denyhosts_t
self:fifo_file r_fifo_file_perms;

If that is all then i do not see much of a problem with this?

On Tue, 2012-01-31 at 14:12 -0600, Jason L Tibbitts III wrote:
> So I'm trying to get denyhosts updated to use systemd to keep it from
> being kicked out of the distribution, and I'm running into an odd
> problem that at the end comes down to selinux.
>
> denyhosts wants the hostname in the environment when it starts up.
> (This lets it add the hostname to the subject of messages it sends.)
> The initscript used to do this but of course not with systemd so I need
> another method. Using /etc/sysconfig/network as an EnvironmentFile
> seems a terrible, horrible hack so I just fixed denyhosts to so it
> internally by just calling platform.node() (python if it's not obvious)
> at the appropriate place. Unfortunately selinux disallows this. I
> guess the policy needs to be opened a bit but I'm not sure how to do
> this properly or without compromising security.
>
> - J<
>
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: Traceback (most recent call last):
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/bin/denyhosts.py", line 113, in <module>
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: os.environ['HOSTNAME'] = platform.node()
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1292, in node
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: return uname()[1]
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1249, in uname
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: processor = _syscmd_uname('-p',')
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: File "/usr/lib64/python2.7/platform.py", line 1005, in _syscmd_uname
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: output = string.strip(f.read())
> Jan 31 13:58:16 ld93 denyhosts.py[1785]: IOError: [Errno 13] Permission denied
>
>
> time->Tue Jan 31 13:58:16 2012
> type=SYSCALL msg=audit(1328039896.475:18367): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=ffffc000 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
> type=AVC msg=audit(1328039896.475:18367): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
> ----
> time->Tue Jan 31 13:58:16 2012
> type=SYSCALL msg=audit(1328039896.475:18368): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069bc0 a2=7fff61069bc0 a3=1 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
> type=AVC msg=audit(1328039896.475:18368): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
> ----
> time->Tue Jan 31 13:58:16 2012
> type=SYSCALL msg=audit(1328039896.475:18369): arch=c000003e syscall=59 success=no exit=-13 a0=398ed70c1e a1=7fff61067b60 a2=7fff6106a6b0 a3=7f5312d0d9d0 items=0 ppid=1785 pid=1786 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
> type=AVC msg=audit(1328039896.475:18369): avc: denied { execute } for pid=1786 comm="denyhosts.py" name="bash" dev=dm-0 ino=686466 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_ubject_r:shell_exec_t:s0 tclass=file
> ----
> time->Tue Jan 31 13:58:16 2012
> type=SYSCALL msg=audit(1328039896.475:18370): arch=c000003e syscall=5 success=no exit=-13 a0=3 a1=7fff61069b40 a2=7fff61069b40 a3=2025 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
> type=AVC msg=audit(1328039896.475:18370): avc: denied { getattr } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
> ----
> time->Tue Jan 31 13:58:16 2012
> type=SYSCALL msg=audit(1328039896.475:18371): arch=c000003e syscall=0 success=no exit=-13 a0=3 a1=7f5312d36000 a2=2000 a3=22 items=0 ppid=1 pid=1785 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)
> type=AVC msg=audit(1328039896.475:18371): avc: denied { read } for pid=1785 comm="denyhosts.py" path="pipe:[1105844]" dev=pipefs ino=1105844 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:system_r:denyhosts_t:s0 tclass=fifo_file
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-31-2012, 09:03 PM
Daniel J Walsh
 
Default Issue with updating denyhosts to use systemd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


<snip>

Those rules are not a security risk. Basically they say one process
can talk to another process running as denyhosts_t using inherited
fifo_files.

It also allows denyhosts_t to execute /bin/sh within the same context.
Which is also not a problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8oZUQACgkQrlYvE4MpobP8OgCg0vODi9N6rI 7BjzzqCXOWgPpc
oa0AniXfPQmQX7DAUxrQBlNiFWTLBleH
=EQMi
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 04:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org