Bug 1001822
| Summary: | SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket . | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Allen <dallen> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:96d27cb352aaa99193f89fe6b587b372bd2a8adb98e36e15cca26bd7342daa68 | ||
| Fixed In Version: | selinux-policy-3.12.1-74.1.fc19 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-09-08 00:36:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
So logwatch is executing epylog? Or I guess epylog is logwatch. Miroslav currently we allow logwatch to transition to a mail client rather then connecting directly, Not sure if there is much benefit to this. Well I believe there was a reason to have logwatch_mail_t. I think I just did not want to add all of the access required to cover all mailers in logwatch, but on the other hand did not want to give logwatch the power to launch system_mail_t. We could add a boolean for this case and leave the code as it is. Not sure how many people use epylog. Yes, a boolean sounds as a good solution.
commit 50cc2634db400f0ee13094683412db931f999657
Author: Miroslav Grepl <mgrepl>
Date: Thu Aug 29 15:36:34 2013 +0200
Add logwatch_can_sendmail boolean
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19 Package selinux-policy-3.12.1-74.1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19 then log in and leave karma (feedback). Description of problem:
Since I'm still not getting Epylog's report emailed to me, I assume this error is triggered when it attempts to do so. I set Epylog to email the report via smtp.west.cox.net rather than send it to root or other system user.
I also get the following error (from the system?) mailed to root:
error: cannot open Packages index using db5 - Permission denied (13)
error: cannot open Packages database in /var/lib/rpm
Traceback (most recent call last):
File "/usr/sbin/epylog", line 300, in <module>
main(sys.argv)
File "/usr/sbin/epylog", line 284, in main
epylog.publish_report()
File "/usr/lib/python2.7/site-packages/epylog/__init__.py", line 378, in publish_report
self.report.publish(rawfh, unparsed)
File "/usr/lib/python2.7/site-packages/epylog/report.py", line 245, in publish
rawfh)
File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 449, in publish
mail_smtp(self.smtpserv, fromaddr, self.mailto, msg, logger)
File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 128, in mail_smtp
server = smtplib.SMTP(smtpserv)
File "/usr/lib64/python2.7/smtplib.py", line 250, in __init__
(code, msg) = self.connect(host, port)
File "/usr/lib64/python2.7/smtplib.py", line 310, in connect
self.sock = self._get_socket(host, port, self.timeout)
File "/usr/lib64/python2.7/smtplib.py", line 285, in _get_socket
return socket.create_connection((host, port), timeout)
File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
raise err
socket.error: [Errno 13] Permission denied
Additional info:
reporter: libreport-2.1.6
hashmarkername: setroubleshoot
kernel: 3.10.10-200.fc19.x86_64
type: libreport
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Strange that Epylog would attempt to read the rpm database? Did you try with the latest package? The lastest package from updates has been installed, and since then Epylog is working properly (sending email). However, I also followed this suggestion from Selinux (toggling nis_enabled):
%%%%%%%%%%%%%%%%%%%%%%%%%%%
SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket .
***** Plugin catchall_boolean (89.3 confidence) suggests *******************
If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1
***** Plugin catchall (11.6 confidence) suggests ***************************
If you believe that python2.7 should be allowed name_connect access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep epylog /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context system_u:object_r:smtp_port_t:s0
Target Objects [ tcp_socket ]
Source epylog
Source Path /usr/bin/python2.7
Port 25
Host proteus.oversoul.lan
Source RPM Packages python-2.7.5-4.fc19.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name proteus.oversoul.lan
Platform Linux proteus.oversoul.lan 3.10.10-200.fc19.x86_64
#1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64
Alert Count 5
First Seen 2013-09-04 18:22:46 PDT
Last Seen 2013-09-08 12:15:12 PDT
Local ID 627e52f3-d2ac-4e37-a5fd-7ec089a0c0e6
Raw Audit Messages
type=AVC msg=audit(1378667712.734:131): avc: denied { name_connect } for pid=4214 comm="epylog" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1378667712.734:131): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff5c49fbd0 a2=10 a3=4 items=0 ppid=4212 pid=4214 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm=epylog exe=/usr/bin/python2.7 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)
Hash: epylog,logwatch_t,smtp_port_t,tcp_socket,name_connect
%%%%%%%%%%%%%%%%%%%%%%%%%%%
Note that I am not reporting the above alert since I don't know if toggling nis_enabled was the actual fix or not. The update from testing did not fix the problem. After getting the same update from updates, I got the same error along with the above info from Selinux regarding nis_enabled (actually Selinux reported 2 errors with python 2.7 at the same time. I only reported the one regarding @2013-09-07 12:40:46 PDT, ignoring reporting the one related to nis_enabled.
So, for whatever reason, the problem has gone away. [Hopefully the fix will go to RHEL and Friends soon as I have the same problem on several Scientific Linux 6.4 VM's.]
We have logwatch_can_sendmail in the latest policy. #============= logwatch_t ============== #!!!! This avc can be allowed using one of the these booleans: # logwatch_can_sendmail, nis_enabled allow logwatch_t smtp_port_t:tcp_socket name_connect |
Description of problem: I suspect, given the context, this occurs when Epylog tries to email logs - which I have yet to receive. Otherwise I have no idea when or why this error occurred. SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests *************************** If you believe that python2.7 should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep epylog /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:smtp_port_t:s0 Target Objects [ tcp_socket ] Source epylog Source Path /usr/bin/python2.7 Port 25 Host (removed) Source RPM Packages python-2.7.5-4.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-73.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed Aug 21 19:27:58 UTC 2013 x86_64 x86_64 Alert Count 3 First Seen 2013-08-24 13:25:03 PDT Last Seen 2013-08-26 13:25:05 PDT Local ID 8640b4b9-0b1f-4522-a9a8-42d78c857f3e Raw Audit Messages type=AVC msg=audit(1377548705.431:1133): avc: denied { name_connect } for pid=14390 comm="epylog" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1377548705.431:1133): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff267e0de0 a2=10 a3=4 items=0 ppid=14388 pid=14390 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=140 tty=(none) comm=epylog exe=/usr/bin/python2.7 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: epylog,logwatch_t,smtp_port_t,tcp_socket,name_connect Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.9-200.fc19.x86_64 type: libreport