Bug 677674

Summary: allow ident requests by sshd/libwrap
Product: [Fedora] Fedora Reporter: Jan "Yenya" Kasprzak <kas>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.7-31.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-24 20:53:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jan "Yenya" Kasprzak 2011-02-15 14:47:49 UTC 
Description of problem:
When ident requests are allowed in TCP wrappers config (/etc/hosts.{allow,deny}), SELinux blocks the requests. I have seen it with sshd, but I suspect other users of libwrap can be affected as well.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-29.fc14.noarch
tcp_wrappers-libs-7.6-59.fc14.x86_64
openssh-server-5.5p1-24.fc14.2.x86_64

How reproducible:
100 %

Steps to Reproduce:
1. Install F14, configure ssh server, enable it in iptables.
2. echo "sshd: ALL@ALL >> /etc/hosts.allow"
3. connect to the ssh server (telnet f14-host.mydomain 22)
4. tail /var/log/audit/audit.log | audit2allow
  
Actual results:
#============= sshd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     sshd_forward_ports, allow_ypbind

allow sshd_t auth_port_t:tcp_socket name_connect;

Expected results:
No AVCs should be logged.

Additional info:
I don't think any of the booleans suggested by audit2allow apply (I don't want to allow port forwarding, and I don't run ypbind).
Comment 1 Miroslav Grepl 2011-02-16 16:23:36 UTC 
Dan,
maybe we could add a new boolean for this

tunable_policy(`allow_use_tcp_wrapper',`
   corenet_tcp_connect_auth_port(sshd_t)
')

which could be used also for other domains.
Comment 2 Daniel Walsh 2011-02-16 19:31:54 UTC 
How about adding to init.te


tunable_policy(`daemon_use_tcp_wrapper',`
   corenet_tcp_connect_auth_port(daemon)
')
Comment 3 Miroslav Grepl 2011-02-17 08:52:08 UTC 
Good idea. Fixed in selinux-policy-3.9.7-31.fc14
Comment 4 Jan "Yenya" Kasprzak 2011-02-21 11:49:05 UTC 
Works for me, thanks!
Comment 5 Fedora Update System 2011-02-21 20:28:22 UTC 
selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Comment 6 Miroslav Grepl 2011-02-21 20:49:03 UTC 
Jan,
could you update the karma. Thank you.
Comment 7 Fedora Update System 2011-02-22 04:53:56 UTC 
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14
Comment 8 Fedora Update System 2011-02-24 20:53:20 UTC 
selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.