Bug 460733 – Cannot execute locally installed daemon (pysieved) from stunnel (permission denied)

Bug 460733 - Cannot execute locally installed daemon (pysieved) from stunnel (permission denied)

Summary:	Cannot execute locally installed daemon (pysieved) from stunnel (permission d...

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	5.2
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-08-30 11:21 EDT by John W. Linville
Modified:	2012-10-16 04:30 EDT (History)
CC List:	2 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-01-20 16:30:32 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description John W. Linville 2008-08-30 11:21:22 EDT

Description of problem:

Cannot execute locally installed daemon (pysieved) from stunnel.

2008.08.30 11:15:34 LOG5[9666:3085969104]: stunnel 4.15 on i686-redhat linux-gnu with OpenSSL 0.9.8b 04 May 2006
2008.08.30 11:15:34 LOG5[9666:3085969104]: Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
2008.08.30 11:15:34 LOG5[9666:3085969104]: stunnel connected from 70.85.129.103:39222
2008.08.30 11:15:34 LOG3[9668:3085969104]: /usr/local/lib/pysieved/pysieved.py: Permission denied (13)
2008.08.30 11:15:34 LOG5[9666:3085969104]: Connection closed: 0 bytes sent to SSL, 0 bytes sent to socket

Version-Release number of selected component (if applicable):

selinux-policy-2.4.6-143

How reproducible:

Always

Steps to Reproduce:

1. Install pysieved in /usr/local/lib/pysieved as described in tarball available here:

   http://www.woozle.org/~neale/src/pysieved/

(AFAICT, pysieved's STARTTLS doesn't actually work...)

2. Pick a socket and add it to /etc/services:

sieves		32000/tcp			# Sieve Mail Filter Daemon (SSL)
sieves		32000/udp			# Sieve Mail Filter Daemon (SSL)

3. Setup xinetd accordingly:

service sieves
{
	disable		= no
	socket_type	= stream
	wait		= no
	user		= root
	group		= root
	server		= /usr/sbin/stunnel
	server_args	= /etc/stunnel/sieves.conf
#	only_from	= 127.0.0.1
	log_on_failure  += USERID
}

4. Attempt to connect with openssel s_client:

openssl s_client -connect your.host.name:32000 -crlf -tls1
  
Actual results:

type=AVC msg=audit(1220109334.374:78913): avc:  denied  { execute } for  pid=9668 comm="stunnel" name="pysieved.py" dev=dm-0 ino=4587607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:user_home_t:s0 tclass=file
type=SYSCALL msg=audit(1220109334.374:78913): arch=40000003 syscall=11 success=no exit=-13 a0=84fb078 a1=84fb0d0 a2=bfe72490 a3=bfe71300 items=0 ppid=9666 pid=9668 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0 s0:c0.c1023 key=(null)

Expected results:

Successful connection, nothing in audit.log (which is what I get with `setenforce 0`).

Additional info:

I suspect the cure is available in the thread here:

   https://www.redhat.com/archives/fedora-selinux-list/2008-March/msg00078.html

Can we have that solution (or the equivalent) in the RHEL5 policy?

Comment 1 John W. Linville 2008-08-30 11:22:56 EDT

Forgot the contents of /etc/stunnel/sieves.conf:

cert = /etc/pki/tls/certs/sieves.pem
key = /etc/pki/tls/private/sieves.pem
exec = /usr/local/lib/pysieved/pysieved.py
execargs = /usr/local/lib/pysieved/pysieved.py --inetd

Comment 2 Daniel Walsh 2008-09-02 16:25:35 EDT

Does 
# restorecon -R -v /usr/local 
fix the problem?

Comment 3 John W. Linville 2008-09-02 16:34:59 EDT

No, sorry...

[root@charlotte ~]# restorecon -R -v /usr/local/
[root@charlotte ~]# tail -f /var/log/audit/audit.log | grep stunn
type=AVC msg=audit(1220387571.412:94093): avc:  denied  { execute_no_trans } for pid=5388 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1220387571.412:94093): arch=40000003 syscall=11 success=no exit=-13 a0=8dad078 a1=8dad0e0 a2=bfd74b90 a3=bfd73a00 items=0 ppid=5386 pid=5388 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0 s0:c0.c1023 key=(null)

(Changed the name of the .py file for administrative reasons, otherwise it is the same as when I opened the bug...)

Comment 4 Daniel Walsh 2008-09-03 09:42:57 EDT

Does
# chcon -R -t bin_t /usr/local/lib/pysieved

Fix the problem?

You can make this permanent by executing

# semanage fcontext -a -t bin_t '/usr/local/lib/pysieved
(/.*)?'

If this works I can add this labeling to the policy package.

Comment 5 John W. Linville 2008-09-03 10:11:01 EDT

Doesn't like that one either...

[root@charlotte ~]# chcon -R -t bin_t /usr/local/lib/pysieved/
[root@charlotte ~]# tail -f /var/log/audit/audit.log

type=AVC msg=audit(1220450311.221:97676): avc:  denied  { search } for  pid=20837 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450311.221:97676): arch=40000003 syscall=11 success=no exit=-13 a0=8732078 a1=87320e0 a2=bf80b630 a3=bf80a4a0 items=0 ppid=20835 pid=20837 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)

And just for verification, I repeated w/ "setenforce 0" and the connection was fine:

[root@charlotte ~]# setenforce 0
[root@charlotte ~]# tail -f /var/log/audit/audit.log

type=AVC msg=audit(1220450863.000:97729): avc:  denied  { search } for  pid=21204 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { execute } for  pid=21204 comm="stunnel" name="pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { execute_no_trans } for  pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { read } for  pid=21204 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { read } for  pid=21204 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { execute } for  pid=21204 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220450863.000:97729): avc:  denied  { read } for  pid=21204 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.000:97729): arch=40000003 syscall=11 success=yes exit=0 a0=9267080 a1=92670e8 a2=bfe28140 a3=bfe26fb0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.002:97730): avc:  denied  { search } for  pid=21204 comm="pysieved-stunne" name="sbin" dev=dm-0 ino=7766017 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sbin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450863.002:97730): arch=40000003 syscall=11 success=no exit=-2 a0=bfb10f98 a1=bfb110d8 a2=bfb110e8 a3=bfb11f3c items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.002:97731): avc:  denied  { execute_no_trans } for  pid=21204 comm="pysieved-stunne" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.002:97731): arch=40000003 syscall=11 success=yes exit=0 a0=bfb10f95 a1=bfb110d8 a2=bfb110e8 a3=bfb11f51 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.004:97732): avc:  denied  { getattr } for  pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.004:97732): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bfbb9874 a2=b5aff4 a3=0 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.005:97733): avc:  denied  { getattr } for  pid=21204 comm="python" path="/usr/bin/python" dev=dm-0 ino=4168607 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.005:97733): arch=40000003 syscall=195 success=yes exit=0 a0=cc0400 a1=bfbb8a84 a2=b5aff4 a3=4 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.021:97734): avc:  denied  { getattr } for  pid=21204 comm="python" path="/usr/local/lib/pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220450863.021:97734): arch=40000003 syscall=196 success=yes exit=0 a0=8f42c48 a1=bfbb9748 a2=b5aff4 a3=bfbb9ef3 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.021:97735): avc:  denied  { ioctl } for  pid=21204 comm="python" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220450863.021:97735): arch=40000003 syscall=54 success=no exit=-25 a0=3 a1=5401 a2=bfbb9738 a3=bfbb9778 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1220450863.146:97736): avc:  denied  { search } for  pid=21204 comm="python" name="dovecot" dev=dm-0 ino=6751028 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dovecot_var_run_t:s0 tclass=dir
type=AVC msg=audit(1220450863.146:97736): avc:  denied  { dac_override } for  pid=21204 comm="python" capability=1 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tclass=capability
type=AVC msg=audit(1220450863.146:97736): avc:  denied  { write } for  pid=21204 comm="python" name="auth-client" dev=dm-0 ino=6751100 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:object_r:dovecot_var_run_t:s0 tclass=sock_file
type=AVC msg=audit(1220450863.146:97736): avc:  denied  { connectto } for  pid=21204 comm="python" path="/var/run/dovecot/auth-client" scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=user_u:system_r:dovecot_auth_t:s0 tclass=unix_stream_socket
type=SYSCALL msg=audit(1220450863.146:97736): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfbb75c0 a2=352118 a3=b7efff38 items=0 ppid=21202 pid=21204 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)

(The dovecot bits are there because pysieved talks to dovecot for some auth- and user-related services...)

Hth!  Thanks!

Comment 6 Daniel Walsh 2008-09-03 13:38:21 EDT

Does
# chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved

Fix the problem?

You can make this permanent by executing

# semanage fcontext -a -t inetd_child_exec_t '/usr/local/lib/pysieved
(/.*)?'

If this works I can add this labeling to the policy package.

Comment 7 John W. Linville 2008-09-03 13:55:04 EDT

Lather, rinse,... :-)

[root@charlotte ~]# chcon -R -t inetd_child_exec_t /usr/local/lib/pysieved
[root@charlotte ~]# tail -f /var/log/audit/audit.log

type=AVC msg=audit(1220464253.175:98232): avc:  denied  { search } for  pid=25210 comm="stunnel" name="pysieved" dev=dm-0 ino=4587589 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:inetd_child_exec_t:s0 tclass=dir
type=SYSCALL msg=audit(1220464253.175:98232): arch=40000003 syscall=11 success=no exit=-13 a0=9a75078 a1=9a750e0 a2=bfff1e10 a3=bfff0c80 items=0 ppid=25208 pid=25210 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)

Comment 9 Daniel Walsh 2008-09-03 14:15:15 EDT

Ok this should work 
# restorecon -R -v /usr/local/lib/pysieved
# chcon -t inetd_child_exec_t 
/usr/local/lib/pysieved/pysieved.py

Comment 10 Daniel Walsh 2008-09-03 14:18:29 EDT

Fixed in selinux-policy-2.4.6-152.el5

Comment 11 RHEL Product and Program Management 2008-09-03 14:23:58 EDT

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 12 John W. Linville 2008-09-03 14:43:37 EDT

Hmmm...do I need the updated selinux-policy package for that to work?

[root@charlotte ~]# restorecon -R -v /usr/local/lib/pysieved/
restorecon reset /usr/local/lib/pysieved/pysieved.py context system_u:object_r:inetd_child_exec_t:s0->system_u:object_r:lib_t:s0
[root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved.py
[root@charlotte ~]# tail -f /var/log/audit/audit.log

type=AVC msg=audit(1220467354.839:98380): avc:  denied  { execute_no_trans } for  pid=26443 comm="stunnel" path="/usr/local/lib/pysieved/pysieved-stunnel.py" dev=dm-0 ino=4588686 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1220467354.839:98380): arch=40000003 syscall=11 success=no exit=-13 a0=892c078 a1=892c0e0 a2=bf959f80 a3=bf958df0 items=0 ppid=26441 pid=26443 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)

Comment 13 Daniel Walsh 2008-09-03 15:03:47 EDT

Sets it context to inetd_child_exec_t also

chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py

Comment 14 John W. Linville 2008-09-03 19:21:22 EDT

Ah, I tricked myself with the pysieved-stunnel.py name.  Oh well, that does look (incomprehensibly) different! :-)

[root@charlotte ~]# restorecon -R -v /usr/local/
[root@charlotte ~]# chcon -t inetd_child_exec_t /usr/local/lib/pysieved/pysieved-stunnel.py
[root@charlotte ~]# tail -f /var/log/audit/audit.log

type=AVC msg=audit(1220483897.055:98876): avc:  denied  { search } for  pid=30672 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=SYSCALL msg=audit(1220483897.055:98876): arch=40000003 syscall=11 success=no exit=-13 a0=8b8e078 a1=8b8e0e0 a2=bfd5ab80 a3=bfd599f0 items=0 ppid=30670 pid=30672 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="stunnel" exe="/usr/sbin/stunnel" subj=user_u:system_r:stunnel_t:s0-s0:c0.c1023 key=(null)

Comment 15 John W. Linville 2008-09-04 10:43:37 EDT

As requested offline, the audit.log entries I get now w/ setenforc 0:

type=AVC msg=audit(1220539210.157:100337): avc:  denied  { search } for  pid=9957 comm="stunnel" name="bin" dev=dm-0 ino=4161546 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=dir
type=AVC msg=audit(1220539210.157:100337): avc:  denied  { read } for  pid=9957 comm="stunnel" name="env" dev=dm-0 ino=4170776 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file
type=AVC msg=audit(1220539210.157:100337): avc:  denied  { execute } for  pid=9957 comm="stunnel" name="env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=AVC msg=audit(1220539210.157:100337): avc:  denied  { read } for  pid=9957 comm="stunnel" path="/bin/env" dev=dm-0 ino=6422599 scontext=user_u:system_r:stunnel_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1220539210.157:100337): arch=40000003 syscall=11 success=yes exit=0 a0=9419080 a1=94190e8 a2=bf848920 a3=bf847790 items=0 ppid=9955 pid=9957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="pysieved-stunne" exe="/bin/env" subj=user_u:system_r:inetd_child_t:s0-s0:c0.c1023 key=(null)

Comment 16 John W. Linville 2008-09-04 10:48:43 EDT

ps -eZ | grep pysieved gives nothing.  ps -eZ | grep python gives this:

[root@charlotte ~]# ps -eZ | grep python
user_u:system_r:inetd_child_t:SystemLow-SystemHigh 10120 ? 00:00:00 python

Comment 18 Daniel Walsh 2008-09-04 15:55:04 EDT

Fixed in selinux-policy-2.4.6-153.el5

Comment 23 errata-xmlrpc 2009-01-20 16:30:32 EST

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0163.html

Note You need to log in before you can comment on or make changes to this bug.