Bug 1001822 - SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket .
SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the ...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
19
x86_64 Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
abrt_hash:96d27cb352aaa99193f89fe6b58...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-27 16:36 EDT by David Allen
Modified: 2013-09-10 04:45 EDT (History)
4 users (show)

See Also:
Fixed In Version: selinux-policy-3.12.1-74.1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-07 20:36:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Allen 2013-08-27 16:36:52 EDT
Description of problem:
I suspect, given the context, this occurs when Epylog tries to email logs - which I have yet to receive. Otherwise I have no idea when or why this error occurred.
SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket .

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that python2.7 should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep epylog /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:smtp_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        epylog
Source Path                   /usr/bin/python2.7
Port                          25
Host                          (removed)
Source RPM Packages           python-2.7.5-4.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-73.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.10.9-200.fc19.x86_64 #1 SMP Wed
                              Aug 21 19:27:58 UTC 2013 x86_64 x86_64
Alert Count                   3
First Seen                    2013-08-24 13:25:03 PDT
Last Seen                     2013-08-26 13:25:05 PDT
Local ID                      8640b4b9-0b1f-4522-a9a8-42d78c857f3e

Raw Audit Messages
type=AVC msg=audit(1377548705.431:1133): avc:  denied  { name_connect } for  pid=14390 comm="epylog" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1377548705.431:1133): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff267e0de0 a2=10 a3=4 items=0 ppid=14388 pid=14390 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=140 tty=(none) comm=epylog exe=/usr/bin/python2.7 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

Hash: epylog,logwatch_t,smtp_port_t,tcp_socket,name_connect

Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.9-200.fc19.x86_64
type:           libreport
Comment 1 Daniel Walsh 2013-08-28 14:34:14 EDT
So logwatch is executing epylog?
Comment 2 Daniel Walsh 2013-08-28 14:34:56 EDT
Or I guess epylog is logwatch.
Comment 3 Daniel Walsh 2013-08-28 14:38:22 EDT
Miroslav currently we allow logwatch to transition to a mail client rather then connecting directly,  Not sure if there is much benefit to this.
Comment 4 Miroslav Grepl 2013-08-29 05:06:16 EDT
Well I believe there was a reason to have logwatch_mail_t.
Comment 5 Daniel Walsh 2013-08-29 08:55:38 EDT
I think I just did not want to add all of the access required to cover all mailers in logwatch, but on the other hand did not want to give logwatch the power to launch system_mail_t.

We could add a boolean for this case and leave the code as it is.  Not sure how many people use epylog.
Comment 6 Miroslav Grepl 2013-08-29 09:37:40 EDT
Yes, a boolean sounds as a good solution.

commit 50cc2634db400f0ee13094683412db931f999657
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Aug 29 15:36:34 2013 +0200

    Add logwatch_can_sendmail boolean
Comment 7 Fedora Update System 2013-09-03 15:56:56 EDT
selinux-policy-3.12.1-74.1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.1.fc19
Comment 8 Fedora Update System 2013-09-04 21:38:22 EDT
Package selinux-policy-3.12.1-74.1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15819/selinux-policy-3.12.1-74.1.fc19
then log in and leave karma (feedback).
Comment 9 David Allen 2013-09-07 15:40:46 EDT
Description of problem:
Since I'm still not getting Epylog's report emailed to me, I assume this error is triggered when it attempts to do so. I set Epylog to email the report via smtp.west.cox.net rather than send it to root or other system user.

I also get the following error (from the system?) mailed to root:

error: cannot open Packages index using db5 - Permission denied (13)
error: cannot open Packages database in /var/lib/rpm
Traceback (most recent call last):
  File "/usr/sbin/epylog", line 300, in <module>
    main(sys.argv)
  File "/usr/sbin/epylog", line 284, in main
    epylog.publish_report()
  File "/usr/lib/python2.7/site-packages/epylog/__init__.py", line 378, in publish_report
    self.report.publish(rawfh, unparsed)
  File "/usr/lib/python2.7/site-packages/epylog/report.py", line 245, in publish
    rawfh)
  File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 449, in publish
    mail_smtp(self.smtpserv, fromaddr, self.mailto, msg, logger)
  File "/usr/lib/python2.7/site-packages/epylog/publishers.py", line 128, in mail_smtp
    server = smtplib.SMTP(smtpserv)
  File "/usr/lib64/python2.7/smtplib.py", line 250, in __init__
    (code, msg) = self.connect(host, port)
  File "/usr/lib64/python2.7/smtplib.py", line 310, in connect
    self.sock = self._get_socket(host, port, self.timeout)
  File "/usr/lib64/python2.7/smtplib.py", line 285, in _get_socket
    return socket.create_connection((host, port), timeout)
  File "/usr/lib64/python2.7/socket.py", line 571, in create_connection
    raise err
socket.error: [Errno 13] Permission denied


Additional info:
reporter:       libreport-2.1.6
hashmarkername: setroubleshoot
kernel:         3.10.10-200.fc19.x86_64
type:           libreport
Comment 10 Fedora Update System 2013-09-07 20:36:19 EDT
selinux-policy-3.12.1-74.1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Daniel Walsh 2013-09-09 07:52:32 EDT
Strange that Epylog would attempt to read the rpm database?  Did you try with the latest package?
Comment 12 David Allen 2013-09-09 18:45:33 EDT
The lastest package from updates has been installed, and since then Epylog is working properly (sending email). However, I also followed this suggestion from Selinux (toggling nis_enabled):

%%%%%%%%%%%%%%%%%%%%%%%%%%%

SELinux is preventing /usr/bin/python2.7 from name_connect access on the tcp_socket .

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow system to run with NIS
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.
You can read 'None' man page for more details.
Do
setsebool -P nis_enabled 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that python2.7 should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep epylog /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:logwatch_t:s0-s0:c0.c1023
Target Context                system_u:object_r:smtp_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        epylog
Source Path                   /usr/bin/python2.7
Port                          25
Host                          proteus.oversoul.lan
Source RPM Packages           python-2.7.5-4.fc19.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-74.1.fc19.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     proteus.oversoul.lan
Platform                      Linux proteus.oversoul.lan 3.10.10-200.fc19.x86_64
                              #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64
Alert Count                   5
First Seen                    2013-09-04 18:22:46 PDT
Last Seen                     2013-09-08 12:15:12 PDT
Local ID                      627e52f3-d2ac-4e37-a5fd-7ec089a0c0e6

Raw Audit Messages
type=AVC msg=audit(1378667712.734:131): avc:  denied  { name_connect } for  pid=4214 comm="epylog" dest=25 scontext=system_u:system_r:logwatch_t:s0-s0:c0.c1023 tcontext=system_u:object_r:smtp_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1378667712.734:131): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fff5c49fbd0 a2=10 a3=4 items=0 ppid=4212 pid=4214 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=4 tty=(none) comm=epylog exe=/usr/bin/python2.7 subj=system_u:system_r:logwatch_t:s0-s0:c0.c1023 key=(null)

Hash: epylog,logwatch_t,smtp_port_t,tcp_socket,name_connect

%%%%%%%%%%%%%%%%%%%%%%%%%%%

Note that I am not reporting the above alert since I don't know if toggling nis_enabled was the actual fix or not. The update from testing did not fix the problem. After getting the same update from updates, I got the same error along with the above info from Selinux regarding nis_enabled (actually Selinux reported 2 errors with python 2.7 at the same time. I only reported the one regarding @2013-09-07 12:40:46 PDT, ignoring reporting the one related to nis_enabled.

So, for whatever reason, the problem has gone away. [Hopefully the fix will go to RHEL and Friends soon as I have the same problem on several Scientific Linux 6.4 VM's.]
Comment 13 Miroslav Grepl 2013-09-10 04:45:36 EDT
We have

logwatch_can_sendmail

in the latest policy.

#============= logwatch_t ==============

#!!!! This avc can be allowed using one of the these booleans:
#     logwatch_can_sendmail, nis_enabled
allow logwatch_t smtp_port_t:tcp_socket name_connect

Note You need to log in before you can comment on or make changes to this bug.