Bug 464886
Summary: | denyhosts requires selinux policy changes to work without disabling other critical services like NFS | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | jonathan | ||||
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> | ||||
Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.2 | CC: | dwalsh, mmalik | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-20 21:31:00 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
jonathan
2008-10-01 01:54:57 UTC
Which nfs daemon are you seeing a denial for? Currently nfsd_t can read etc_runtime_t. I can modify tftpd_t to read it also. Do you know of other confined domains that use /etc/denyhosts.conf? I think writing policy for denyhosts would not be a bad idea since this is a fairly dangerous application, It reads random log content and then acts on it. But not likely for RHEL5. The restorecon solution is a good one for now. Other scripts that create mislabeled files do this and the race condition, is unlikely to fire. A policy for denyhosts would be great, but I understand there are limits to what can be included in the current release series. The messages I received for nfs were specifically for portmap. The /var/log/messages error was: Sep 19 20:18:32 moose portmap[2691]: warning: cannot open /etc/hosts.deny: Permission denied and the audit log was: type=AVC msg=audit(1221869801.815:25684): avc: denied { read } for pid=2691 comm="portmap" name= "hosts.deny" dev=sda1 ino=2024197 scontext=system_u:system_r:portmap_t:s0 tcontext=root:object_r:et c_runtime_t:s0 tclass=file For the tftp case here is an audit log showing the denial. (of read and getattr) type=AVC msg=audit(1221858396.393:25307): avc: denied { read } for pid=26664 comm="in.tftpd" nam e="hosts.deny" dev=sda1 ino=2024197 scontext=system_u:system_r:tftpd_t:s0-s0:c0.c1023 tcontext=root :object_r:etc_runtime_t:s0 tclass=file and audit.log.3:type=AVC msg=audit(1221858885.742:25346): avc: denied { getattr } for pid=26951 comm ="in.tftpd" path="/etc/hosts.deny" dev=sda1 ino=2024197 scontext=system_u:system_r:tftpd_t:s0-s0:c0 .c1023 tcontext=root:object_r:etc_runtime_t:s0 tclass=file As to your question about confined domains that use /etc/denyhosts.conf -- did you really mean /etc/denyhosts.conf, or did you mean /etc/hosts.deny? For the first case I don't think anyone besides denyhosts uses it. For the second it should be accessed by any daemon using tcp_wrappers. Now some of those daemons may already have access (for example I was also running sshd and it did not have a problem accessing /etc/hosts.deny during this time) but I was not running most of them so I can't be sure. To get a quick idea of potential targets I ran the little shell script I wrote (find_libwrap.sh -- it's attached to this comment) to see what daemons in /usr/sbin/ use tcp_wrappers. The list of output from the script is below. conmand libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x000000342b200000) exim libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b64a43b0000) exportfs libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b21d97b4000) in.tftpd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x000000342b200000) mailstats libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b91a7068000) makemap libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b3cc4c31000) praliases libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002ae55c61a000) rpc.mountd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b78e2fe9000) rpc.rquotad libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002ad99fda9000) sendmail libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b6e01e0d000) sendmail.exim libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b235c0eb000) sendmail.sendmail libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002af4a6e72000) ldd: warning: you do not have execution permission for `./smartd-conf.pyc' ldd: warning: you do not have execution permission for `./smartd-conf.pyo' smrsh libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b2f52b9a000) snmpd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b66f8268000) snmptrapd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b903d88e000) sshd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002ab19373b000) stunnel libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002b1bbc07f000) ldd: warning: you do not have execution permission for `./xenmon.pyc' ldd: warning: you do not have execution permission for `./xenmon.pyo' xinetd libwrap.so.0 => /usr/lib64/libwrap.so.0 (0x00002ad4ce9a2000) Created attachment 318196 [details]
bash script to find programs using tcp_wrappers
Fixed in selinux-policy-2.4.6-162.el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0163.html |