Bug 603948

Summary:

SELinux is preventing /usr/bin/python access to a leaked /var/asl/tmp/asl.lock
file descriptor.

Detailed Description:

[denyhosts.py has a permissive type (denyhosts_t). This access was not denied.]

SELinux denied access requested by the denyhosts.py command. It looks like this
is either a leaked descriptor or denyhosts.py output was redirected to a file it
is not allowed to access. Leaks usually can be ignored since SELinux is just
closing the leak and reporting the error. The application does not use the
descriptor, so it will run properly. If this is a redirection, you will not get
output in the /var/asl/tmp/asl.lock. You should generate a bugzilla on
selinux-policy, and it will get routed to the appropriate package. You can
safely ignore this avc.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Additional Information:

Source Context                unconfined_u:system_r:denyhosts_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/asl/tmp/asl.lock [ file ]
Source                        denyhosts.py
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.6.4-27.fc13
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-23.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   leaks
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.5-112.fc13.i686.PAE #1 SMP Thu May 27
                              02:56:20 UTC 2010 i686 i686
Alert Count                   27
First Seen                    Sun 13 Jun 2010 08:20:59 AM EST
Last Seen                     Sun 13 Jun 2010 10:30:44 AM EST
Local ID                      23a0e81e-e39c-478f-a86d-3ab08bfa5850
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { read write } for  pid=4900 comm="denyhosts.py" path="/var/asl/tmp/asl.lock" dev=dm-0 ino=14711 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { read } for  pid=4900 comm="denyhosts.py" path="/var/asl/data/.check" dev=dm-0 ino=27184 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(removed) type=AVC msg=audit(1276389044.293:19983): avc:  denied  { write } for  pid=4900 comm="denyhosts.py" path=2F6574632F64656E79686F7374732E636F6E662E6E6577202864656C6574656429 dev=dm-0 ino=5862 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=unconfined_u:object_r:etc_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1276389044.293:19983): arch=40000003 syscall=11 success=yes exit=0 a0=90f4f80 a1=90f3570 a2=90f3b80 a3=90f3570 items=0 ppid=4899 pid=4900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2910 comm="denyhosts.py" exe="/usr/bin/python" subj=unconfined_u:system_r:denyhosts_t:s0 key=(null)



Hash String generated from  leaks,denyhosts.py,denyhosts_t,var_t,file,read,write
audit2allow suggests:

#============= denyhosts_t ==============
allow denyhosts_t etc_t:file write;
allow denyhosts_t var_t:file { read write };