Bug 575515

Summary: SELinux is preventing /usr/bin/python "read" access on /etc/nsswitch.conf.
Product: [Fedora] Fedora Reporter: Jonathan <talltaurus2002>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: dwalsh, mgrepl, talltaurus2002
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:0d81f1123a1690525e1bcf1518dc6db289102121d5f3bc3692b4b4c020785887
Fixed In Version: selinux-policy-3.7.15-4.fc13 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-03-25 22:29:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
denyhost avc's from audit.log
none
Attack ending in alert none

Description Jonathan 2010-03-21 05:57:47 UTC 
Summary:

SELinux is preventing /usr/bin/python "read" access on /etc/nsswitch.conf.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

SELinux denied access requested by denyhosts.py. It is not expected that this
access is required by denyhosts.py and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:denyhosts_t:s0
Target Context                system_u:object_r:etc_t:s0
Target Objects                /etc/nsswitch.conf [ file ]
Source                        denyhosts.py
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-20.fc13
Target RPM Packages           glibc-2.11.90-15
Policy RPM                    selinux-policy-3.7.14-3.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed) 2.6.33-1.fc13.i686.PAE
                              #1 SMP Wed Feb 24 19:54:49 UTC 2010 i686 i686
Alert Count                   6
First Seen                    Sun 21 Mar 2010 12:52:25 AM CDT
Last Seen                     Sun 21 Mar 2010 12:55:26 AM CDT
Local ID                      1f3f2c6f-b107-4e01-a890-66725b471e3f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1269150926.616:19614): avc:  denied  { read } for  pid=2596 comm="denyhosts.py" name="nsswitch.conf" dev=sda1 ino=788246 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1269150926.616:19614): avc:  denied  { open } for  pid=2596 comm="denyhosts.py" name="nsswitch.conf" dev=sda1 ino=788246 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1269150926.616:19614): arch=40000003 syscall=5 success=yes exit=4 a0=60d652 a1=0 a2=1b6 a3=60a98e items=0 ppid=2595 pid=2596 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="denyhosts.py" exe="/usr/bin/python" subj=unconfined_u:system_r:denyhosts_t:s0 key=(null)


Trying to start denyhost with it set to enforcing. Changing to permissive allowed a start
Hash String generated from  catchall,denyhosts.py,denyhosts_t,etc_t,file,read
audit2allow suggests:

#============= denyhosts_t ==============
allow denyhosts_t etc_t:file { read open };
Comment 1 Daniel Walsh 2010-03-22 15:57:20 UTC 
Miroslav you might want to add this also.

You can add these rules for now using

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Fixed in selinux-policy-3.7.15-4.fc13.noarch
Comment 2 Fedora Update System 2010-03-23 13:33:12 UTC 
selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Comment 3 Jonathan 2010-03-23 17:40:23 UTC 
Looks like you got denyhost starting without a hitch.
Thank you.
Comment 4 Daniel Walsh 2010-03-23 17:46:48 UTC 
Please update karma
Comment 5 Jonathan 2010-03-23 21:23:23 UTC 
Still not quite right. It won't let denyhost append to the hosts.deny file. But service enables without selinux and I think it starts service without selinux fault but still won't let it write to file.
Comment 6 Jonathan 2010-03-23 21:26:05 UTC 
Still complaining about the net_conf_t versus etc_t type.
Comment 7 Fedora Update System 2010-03-24 00:47:23 UTC 
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Comment 8 Daniel Walsh 2010-03-24 12:49:42 UTC 
Jonathan what AVC are you seeing?  Is denyhost trying to read net_conf_t?  What file?
Comment 9 Jonathan 2010-03-24 19:49:02 UTC 
It's working Daniel. The only problem I have right now is my hackers aren't attacking so I have one good add to my deny.host but they won't attack so i can see a "has been denied" entry in my log. I haven't been run at since monday afternoon. GRRR.

How do I karma this?
Comment 10 Jonathan 2010-03-24 19:52:01 UTC 
karma'd it for denyhost on testing board.
Comment 11 Daniel Walsh 2010-03-25 17:32:15 UTC 
jonathan , just attach the avc's you have in audit.log.
Comment 12 Fedora Update System 2010-03-25 22:29:05 UTC 
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Jonathan 2010-03-26 02:37:01 UTC 
Created attachment 402739 [details]
denyhost avc's from audit.log
Comment 14 Daniel Walsh 2010-03-26 13:23:32 UTC 
The problem is /etc/hosts.deny is mislabeled.

restorecon /etc/hosts.deny

Should set the label to net_conf_t.

Do you have any idea how it got mislabeled?  If you created an empty file as an administrator it would be mislabeled.
Comment 15 Jonathan 2010-03-27 02:35:41 UTC 
Created attachment 402975 [details]
Attack ending in alert
Comment 16 Jonathan 2010-03-27 02:50:23 UTC 
During one of my alerts it had an option to do restorecon. I think that's what caused the mislabeling. But yes I pulled my old hosts.deny file off fedora 12 to the desktop chown'd it to me and backed it up with the rest of the data before setting up the 13 test box. I no longer get any alerts on any normal things any more. It just works. But my last attack in the attachment the message above me generated a strange alert.

SELinux is preventing /usr/bin/python "getattr" access on /usr/bin/locale. Alterted showing it occured 8 times at the end of the attack about 20 attacks.

Don't really care though. As long as stuff installs and runs well on beta and release that's all i'm in it for.
Comment 17 Daniel Walsh 2010-03-29 13:24:21 UTC 
Might be another mislabeled file.

# fixfiles restore

Will run through your entire file system resetting file labels to the default.
Comment 18 Jonathan 2010-03-29 21:14:34 UTC 
Ok done. Thank you Mr. Walsh. I'll double check it on a another install next week.