Bug 575515
Summary: | SELinux is preventing /usr/bin/python "read" access on /etc/nsswitch.conf. | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jonathan <talltaurus2002> | ||||||
Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 13 | CC: | dwalsh, mgrepl, talltaurus2002 | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | i386 | ||||||||
OS: | Linux | ||||||||
Whiteboard: | setroubleshoot_trace_hash:0d81f1123a1690525e1bcf1518dc6db289102121d5f3bc3692b4b4c020785887 | ||||||||
Fixed In Version: | selinux-policy-3.7.15-4.fc13 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2010-03-25 22:29:43 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Jonathan
2010-03-21 05:57:47 UTC
Miroslav you might want to add this also. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.7.15-4.fc13.noarch selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13 Looks like you got denyhost starting without a hitch. Thank you. Please update karma Still not quite right. It won't let denyhost append to the hosts.deny file. But service enables without selinux and I think it starts service without selinux fault but still won't let it write to file. Still complaining about the net_conf_t versus etc_t type. selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13 Jonathan what AVC are you seeing? Is denyhost trying to read net_conf_t? What file? It's working Daniel. The only problem I have right now is my hackers aren't attacking so I have one good add to my deny.host but they won't attack so i can see a "has been denied" entry in my log. I haven't been run at since monday afternoon. GRRR. How do I karma this? karma'd it for denyhost on testing board. jonathan , just attach the avc's you have in audit.log. selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. Created attachment 402739 [details]
denyhost avc's from audit.log
The problem is /etc/hosts.deny is mislabeled. restorecon /etc/hosts.deny Should set the label to net_conf_t. Do you have any idea how it got mislabeled? If you created an empty file as an administrator it would be mislabeled. Created attachment 402975 [details]
Attack ending in alert
During one of my alerts it had an option to do restorecon. I think that's what caused the mislabeling. But yes I pulled my old hosts.deny file off fedora 12 to the desktop chown'd it to me and backed it up with the rest of the data before setting up the 13 test box. I no longer get any alerts on any normal things any more. It just works. But my last attack in the attachment the message above me generated a strange alert. SELinux is preventing /usr/bin/python "getattr" access on /usr/bin/locale. Alterted showing it occured 8 times at the end of the attack about 20 attacks. Don't really care though. As long as stuff installs and runs well on beta and release that's all i'm in it for. Might be another mislabeled file. # fixfiles restore Will run through your entire file system resetting file labels to the default. Ok done. Thank you Mr. Walsh. I'll double check it on a another install next week. |