Description of problem: An option in /etc/denyhosts.conf seems to prompt the app to connect for dns. I think as per the app requirements, it should be allowed to connect on dns. ###################################################################### # # HOSTNAME_LOOKUP # # HOSTNAME_LOOKUP=YES|NO # If set to YES, for each IP address that is reported by Denyhosts, # the corresponding hostname will be looked up and reported as well # (if available). # HOSTNAME_LOOKUP=YES # ###################################################################### denyhosts.noarch 2.6-29.fc20 @fedora SELinux is preventing /usr/bin/python2.7 from 'name_connect' accesses on the tcp_socket . ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python2.7 should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep denyhosts.py /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:denyhosts_t:s0 Target Context system_u:object_r:sype_transport_port_t:s0 Target Objects [ tcp_socket ] Source denyhosts.py Source Path /usr/bin/python2.7 Port 9911 Host (removed) Source RPM Packages python-2.7.5-13.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-177.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.5-200.fc20.x86_64 #1 SMP Mon Jul 14 15:40:08 UTC 2014 x86_64 x86_64 Alert Count 6 First Seen 2014-07-14 22:05:03 IST Last Seen 2014-07-20 13:56:22 IST Local ID caa6a82f-5355-41ff-89d9-b72d9cc03c78 Raw Audit Messages type=AVC msg=audit(1405844782.76:422): avc: denied { name_connect } for pid=664 comm="denyhosts.py" dest=9911 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:sype_transport_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1405844782.76:422): arch=x86_64 syscall=connect success=no exit=EACCES a0=6 a1=7fffc301e4a0 a2=10 a3=c2 items=0 ppid=1 pid=664 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=denyhosts.py exe=/usr/bin/python2.7 subj=system_u:system_r:denyhosts_t:s0 key=(null) Hash: denyhosts.py,denyhosts_t,sype_transport_port_t,tcp_socket,name_connect Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.15.5-200.fc20.x86_64 type: libreport
Are you getting more AVCs if you execute # semanage permissive -a denyhosts_t re-test it and # ausearch -m avc -ts recent # semanage permissive -d denyhosts_t
Description of problem: This should be handeled by package selinux policy. One should not need to generate a special local policy for this. Thanks Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.6-200.fc20.x86_64 type: libreport
Created attachment 923593 [details] output of ausearch -m avc
Created attachment 923595 [details] output of ausearch -m avc -ts recent The command as you told me: semanage permissive -a denyhosts_t was executed on Sat Aug 02 at around 21:00 HOURS. The permissions were removed through semanage permissive -d denyhosts_t a short time from now. Thanks [root@localhost ~]# cat /tmp/lastb.out root ssh:notty 116.10.191.203 Sun Aug 3 13:29 - 13:29 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:29 - 13:29 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:29 - 13:29 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:29 - 13:29 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:29 - 13:29 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:27 - 13:27 (00:00) root ssh:notty 116.10.191.203 Sun Aug 3 13:27 - 13:27 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) root ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) root ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) admin ssh:notty 61.174.50.213 Sat Aug 2 16:50 - 16:50 (00:00) PlcmSpIp ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) PlcmSpIp ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) www ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) www ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) user ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) user ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) pi ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) pi ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) vyatta ssh:notty 62-210-131-208.r Sat Aug 2 13:02 - 13:02 (00:00) vyatta ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) ftpuser ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) ftpuser ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) admin ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) admin ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) test ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) test ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) support ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) support ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) ubnt ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) ubnt ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) guest ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) guest ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) root ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) admin ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) admin ssh:notty 62-210-131-208.r Sat Aug 2 13:01 - 13:01 (00:00) btmp begins Sat Aug 2 13:01:31 2014
(In reply to Miroslav Grepl from comment #1) > Are you getting more AVCs if you execute > > # semanage permissive -a denyhosts_t > > re-test it and > > # ausearch -m avc -ts recent > # semanage permissive -d denyhosts_t Sorry, for a late reply. I have done as I was told to do & attached the outputs. Thanks.
commit bb575e7a70d07efe29090f4da606badbdccaa07b Author: Miroslav Grepl <mgrepl> Date: Mon Aug 4 08:16:59 2014 +0200 Allow denyhosts to enable synchronization which needs to connect to tcp/9911 port.
selinux-policy-3.12.1-180.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-180.fc20
Package selinux-policy-3.12.1-180.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-180.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2014-9454/selinux-policy-3.12.1-180.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-180.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.