Bug 650620

Summary: SELinux belet /usr/bin/jwhois "read write" toegang on /var/cache/jwhois/jwhois.db.
Product: [Fedora] Fedora Reporter: Michael Gruys <m.gruys>
Component: jwhoisAssignee: Vitezslav Crhonek <vcrhonek>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dwalsh, mgrepl, redhat-bugzilla, vcrhonek
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:2e4e66f94528ca5b3026d41829b3f412f7f6b009fc2cea556cf5365eb21ef90e
Fixed In Version: jwhois-4.0-23.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-17 23:24:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Gruys 2010-11-07 13:09:14 UTC 
Samenvatting:

SELinux belet /usr/bin/jwhois "read write" toegang on
/var/cache/jwhois/jwhois.db.

Gedetailleerde omschrijving:

SELinux belette toegang gevraagd door whois. Het wordt niet verwacht dat deze
toegang voor whois nodig is en deze toegang kan een indringing poging aangeven.
Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing
het veroorzaakt om extra toegang aan te vragen.

Toegang toestaan:

Je kunt een locale tactiek module maken om deze toegang toe te staan - zie FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een fout
rapport in.

Extra informatie:

Bron context                  system_u:system_r:fail2ban_t:s0
Doel context                  system_u:object_r:var_t:s0
Doel objecten                 /var/cache/jwhois/jwhois.db [ file ]
Bron                          whois
Bron pad                      /usr/bin/jwhois
Poort                         <Onbekend>
Host                          (verwijderd)
Bron RPM pakketten            jwhois-4.0-22.fc14
Doel RPM pakketten            jwhois-4.0-22.fc14
Tactiek RPM                   selinux-policy-3.9.7-7.fc14
SELinux aangezet              True
Tactiek type                  targeted
Afdwingende mode              Enforcing
Plug-in naam                  catchall
Host naam                     (verwijderd)
Platform                      Linux (verwijderd) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri
                              Oct 22 15:27:53 UTC 2010 i686 i686
Aantal waarschuwingen         6
Eerst gezien op               za 06 nov 2010 19:27:43 CET
Laatst gezien op              zo 07 nov 2010 13:53:12 CET
Locale ID                     8e711283-c344-4618-a1ee-d957014ecd9d
Regel nummers                 

Onbewerkte audit boodschappen 

node=(verwijderd) type=AVC msg=audit(1289134392.313:953): avc:  denied  { read write } for  pid=26575 comm="whois" name="jwhois.db" dev=dm-0 ino=7212213 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file

node=(verwijderd) type=SYSCALL msg=audit(1289134392.313:953): arch=40000003 syscall=5 success=no exit=-13 a0=9e0b8a0 a1=42 a2=1b0 a3=9e0b858 items=0 ppid=26574 pid=26575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="whois" exe="/usr/bin/jwhois" subj=system_u:system_r:fail2ban_t:s0 key=(null)



Hash String generated from  catchall,whois,fail2ban_t,var_t,file,read,write
audit2allow suggests:

#============= fail2ban_t ==============
allow fail2ban_t var_t:file { read write };
Comment 1 Miroslav Grepl 2010-11-08 09:57:54 UTC 
You can allow it for now using

# chcon -R -t fail2ban_var_lib_t /var/cache/jwhois 

We will need to add a label for that directory.
Comment 2 Daniel Walsh 2010-11-08 20:39:36 UTC 
Miroslav, I actually started to write policy for this app, but I think the app is so nuts that I think we should fix the app.

It seems to want to be setgid and cache its results in /var/cache/jwhois, like there are that many apps running jwhois, and getting duplicate results.


Why does jwhois need a cache?
Comment 3 Robert Scheck 2010-11-08 21:00:40 UTC 
Unfortunately, some domain name registries have braindead configured WHOIS
servers, which just allow e.g. less WHOIS queries (or are somewhat slow), which
is a serious issue if you've many users performing many WHOIS queries. So there
are cases where the cache is really needed. I think the reporter is using 
fail2ban together with jwhois and caching to avoid getting blackisted by the 
WHOIS servers.

From what I know, the cache is not enabled by default and it also should not
be enabled by default - that never was case so far.

http://pkgs.fedoraproject.org/gitweb/?p=jwhois.git;a=blob;f=jwhois.spec;h=0a6fdcba477d723184ae6f977be3226e55636d47;hb=c0892802c58f6d2bd05df2b761146758e8c0e5fa
Comment 4 Daniel Walsh 2010-11-08 21:09:48 UTC 
Huh?

 1 %{?!with_cache: %define with_cache 1}

Doesn't this mean if with_cache is not defined, then turn it on?
Comment 5 Michael Gruys 2010-11-09 05:46:53 UTC 
I indeed using fail2ban. No idea if its working together with jwhois. Can be.
Comment 6 Vitezslav Crhonek 2010-11-09 12:35:12 UTC 
(In reply to comment #4)
> Huh?
> 
>  1 %{?!with_cache: %define with_cache 1}
> 
> Doesn't this mean if with_cache is not defined, then turn it on?

Thanks for heads up, this is not intended and it'll be fixed!
Comment 7 Fedora Update System 2010-11-09 14:09:51 UTC 
jwhois-4.0-23.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/jwhois-4.0-23.fc14
Comment 8 Fedora Update System 2010-11-10 01:06:55 UTC 
jwhois-4.0-23.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update jwhois'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/jwhois-4.0-23.fc14
Comment 9 Fedora Update System 2010-11-17 23:24:36 UTC 
jwhois-4.0-23.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.