Bug 1202151 - SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory /root/.local/lib/python2.7/site-packages.
Summary: SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the director...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: fail2ban
Version: 21
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL: https://github.com/fail2ban/fail2ban/...
Whiteboard: abrt_hash:652c883bc4224871be534badade...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-15 23:46 UTC by Vladimir Rusinov
Modified: 2015-04-26 13:00 UTC (History)
9 users (show)

Fixed In Version: fail2ban-0.9.1-4.fc21
Clone Of:
Environment:
Last Closed: 2015-04-26 13:00:22 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Vladimir Rusinov 2015-03-15 23:46:36 UTC
Description of problem:
SELinux is preventing /usr/bin/python2.7 from 'read' accesses on the directory /root/.local/lib/python2.7/site-packages.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python2.7 should be allowed read access on the site-packages directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:fail2ban_client_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:gconf_home_t:s0
Target Objects                /root/.local/lib/python2.7/site-packages [ dir ]
Source                        fail2ban-client
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           python-2.7.8-7.fc21.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-105.3.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     (removed)
Platform                      Linux (removed) 3.18.7-200.fc21.x86_64 #1 SMP Wed
                              Feb 11 21:53:17 UTC 2015 x86_64 x86_64
Alert Count                   1
First Seen                    2015-03-15 23:17:52 GMT
Last Seen                     2015-03-15 23:17:52 GMT
Local ID                      e0a34913-50d2-4821-a7de-99efcd6eb631

Raw Audit Messages
type=AVC msg=audit(1426461472.988:24592): avc:  denied  { read } for  pid=14584 comm="fail2ban-client" name="site-packages" dev="dm-0" ino=172178 scontext=system_u:system_r:fail2ban_client_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:gconf_home_t:s0 tclass=dir permissive=1


type=SYSCALL msg=audit(1426461472.988:24592): arch=x86_64 syscall=openat success=yes exit=EINTR a0=ffffffffffffff9c a1=664ac0 a2=90800 a3=0 items=0 ppid=14583 pid=14584 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=60 comm=fail2ban-client exe=/usr/bin/python2.7 subj=system_u:system_r:fail2ban_client_t:s0-s0:c0.c1023 key=(null)

Hash: fail2ban-client,fail2ban_client_t,gconf_home_t,dir,read

Version-Release number of selected component:
selinux-policy-3.13.1-105.3.fc21.noarch

Additional info:
reporter:       libreport-2.3.0
hashmarkername: setroubleshoot
kernel:         3.18.7-200.fc21.x86_64
type:           libreport

Comment 1 Daniel Walsh 2015-03-16 14:18:02 UTC
fail2ban python scripts should use 
#! /usr/bin/python -Es


You don't want python accidentally/maliciously grabbing content from this directory.

Comment 2 Orion Poplawski 2015-03-16 15:36:55 UTC
Reported upstream.  If this really is the case, seems like we should have a packaging guideline on this for all python daemons/services.

Comment 3 Vladimir Rusinov 2015-03-16 18:24:30 UTC
I agree with denial, I don't agree with attempt. :)

Thanks for reporting upstream!

Comment 4 Daniel Walsh 2015-03-17 20:05:19 UTC
Orion, I agree.  I think all shipping Python versions should really use these settings. Since it prevents bugs and potential attacks.  Most users would never think that a file in their $HOME/.local/lib/python2.7/site-packages directory could break every python application on the system without this flag set.

Comment 5 Fedora Update System 2015-04-07 22:23:44 UTC
fail2ban-0.9.1-4.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/fail2ban-0.9.1-4.fc21

Comment 6 Fedora Update System 2015-04-09 09:12:55 UTC
Package fail2ban-0.9.1-4.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing fail2ban-0.9.1-4.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-5851/fail2ban-0.9.1-4.fc21
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2015-04-26 13:00:22 UTC
fail2ban-0.9.1-4.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.