Bug 1001822
Summary: | SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket . | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | David Allen <dallen> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dominick.grift, dwalsh, lvrabec, mgrepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Unspecified | ||
Whiteboard: | abrt_hash:96d27cb352aaa99193f89fe6b587b372bd2a8adb98e36e15cca26bd7342daa68 | ||
Fixed In Version: | selinux-policy-3.12.1-74.1.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-08 00:36:19 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Allen
2013-08-27 20:36:52 UTC
So logwatch is executing epylog? Or I guess epylog is logwatch. Miroslav currently we allow logwatch to transition to a mail client rather then connecting directly, Not sure if there is much benefit to this. Well I believe there was a reason to have logwatch_mail_t. I think I just did not want to add all of the access required to cover all mailers in logwatch, but on the other hand did not want to give logwatch the power to launch system_mail_t. We could add a boolean for this case and leave the code as it is. Not sure how many people use epylog. Yes, a boolean sounds as a good solution. commit 50cc2634db400f0ee13094683412db931f999657 Author: Miroslav Grepl <mgrepl> Date: Thu Aug 29 15:36:34 2013 +0200 Add logwatch_can_sendmail boolean selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19 Package selinux-policy-3.12.1-74.1.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19 then log in and leave karma (feedback). Description of problem: Since I'm still not getting Epylog's report emailed to me, I assume this error is triggered when it attempts to do so. I set Epylog to email the report via smtp.west.cox.net rather than send it to root or other system user. I also get the following error (from the system?) mailed to root: error: cannot open Packages index using db5 - Permission denied (13) error: cannot open Packages database in /var/lib/rpm Traceback (most recent call last): File "/usr/sbin/epylog", line 300, in <module> main(sys.argv) File "/usr/sbin/epylog", line 284, in main epylog.publish_report() File "/usr/lib/python2.7/site-packages/epylog/__init__.py", line 378, in publish_report self.report.publish(rawfh, unparsed) File "/usr/lib/python2.7/site-packages/epylog/report.py", line 245, in publish rawfh) File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 449, in publish mail_smtp(self.smtpserv, fromaddr, self.mailto, msg, logger) File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 128, in mail_smtp server = smtplib.SMTP(smtpserv) File "/usr/lib64/python2.7/smtplib.py", line 250, in __init__ (code, msg) = self.connect(host, port) File "/usr/lib64/python2.7/smtplib.py", line 310, in connect self.sock = self._get_socket(host, port, self.timeout) File "/usr/lib64/python2.7/smtplib.py", line 285, in _get_socket return socket.create_connection((host, port), timeout) File "/usr/lib64/python2.7/socket.py", line 571, in create_connection raise err socket.error: [Errno 13] Permission denied Additional info: reporter: libreport-2.1.6 hashmarkername: setroubleshoot kernel: 3.10.10-200.fc19.x86_64 type: libreport selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. Strange that Epylog would attempt to read the rpm database? Did you try with the latest package? The lastest package from updates has been installed, and since then Epylog is working properly (sending email). However, I also followed this suggestion from Selinux (toggling nis_enabled): %%%%%%%%%%%%%%%%%%%%%%%%%%% SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket . ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to allow system to run with NIS Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that python2.7 should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep epylog /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:logwatch_t:s0-s0:c0.c1023 Target Context system_u:object_r:smtp_port_t:s0 Target Objects [ tcp_socket ] Source epylog Source Path /usr/bin/python2.7 Port 25 Host proteus.oversoul.lan Source RPM Packages python-2.7.5-4.fc19.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-74.1.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name proteus.oversoul.lan Platform Linux proteus.oversoul.lan 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64 Alert Count 5 First Seen 2013-09-04 18:22:46 PDT Last Seen 2013-09-08 12:15:12 PDT Local ID 627e52f3-d2ac-4e37-a5fd-7ec089a0c0e6 Raw Audit Messages type=AVC msg=audit(1378667712.734:131): avc: denied { name_connect } for pid=4214 comm="epylog" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1378667712.734:131): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff5c49fbd0 a2=10 a3=4 items=0 ppid=4212 pid=4214 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm=epylog exe=/usr/bin/python2.7 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null) Hash: epylog,logwatch_t,smtp_port_t,tcp_socket,name_connect %%%%%%%%%%%%%%%%%%%%%%%%%%% Note that I am not reporting the above alert since I don't know if toggling nis_enabled was the actual fix or not. The update from testing did not fix the problem. After getting the same update from updates, I got the same error along with the above info from Selinux regarding nis_enabled (actually Selinux reported 2 errors with python 2.7 at the same time. I only reported the one regarding @2013-09-07 12:40:46 PDT, ignoring reporting the one related to nis_enabled. So, for whatever reason, the problem has gone away. [Hopefully the fix will go to RHEL and Friends soon as I have the same problem on several Scientific Linux 6.4 VM's.] We have logwatch_can_sendmail in the latest policy. #============= logwatch_t ============== #!!!! This avc can be allowed using one of the these booleans: # logwatch_can_sendmail, nis_enabled allow logwatch_t smtp_port_t:tcp_socket name_connect |