Summary: SELinux is preventing /usr/bin/python "read" access on /etc/nsswitch.conf. Detailed Description: [SELinux is in permissive mode. This access was not denied.] SELinux denied access requested by denyhosts.py. It is not expected that this access is required by denyhosts.py and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:denyhosts_t:s0 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/nsswitch.conf [ file ] Source denyhosts.py Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-20.fc13 Target RPM Packages glibc-2.11.90-15 Policy RPM selinux-policy-3.7.14-3.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.33-1.fc13.i686.PAE #1 SMP Wed Feb 24 19:54:49 UTC 2010 i686 i686 Alert Count 6 First Seen Sun 21 Mar 2010 12:52:25 AM CDT Last Seen Sun 21 Mar 2010 12:55:26 AM CDT Local ID 1f3f2c6f-b107-4e01-a890-66725b471e3f Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1269150926.616:19614): avc: denied { read } for pid=2596 comm="denyhosts.py" name="nsswitch.conf" dev=sda1 ino=788246 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file node=(removed) type=AVC msg=audit(1269150926.616:19614): avc: denied { open } for pid=2596 comm="denyhosts.py" name="nsswitch.conf" dev=sda1 ino=788246 scontext=unconfined_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1269150926.616:19614): arch=40000003 syscall=5 success=yes exit=4 a0=60d652 a1=0 a2=1b6 a3=60a98e items=0 ppid=2595 pid=2596 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="denyhosts.py" exe="/usr/bin/python" subj=unconfined_u:system_r:denyhosts_t:s0 key=(null) Trying to start denyhost with it set to enforcing. Changing to permissive allowed a start Hash String generated from catchall,denyhosts.py,denyhosts_t,etc_t,file,read audit2allow suggests: #============= denyhosts_t ============== allow denyhosts_t etc_t:file { read open };
Miroslav you might want to add this also. You can add these rules for now using # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Fixed in selinux-policy-3.7.15-4.fc13.noarch
selinux-policy-3.7.15-4.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Looks like you got denyhost starting without a hitch. Thank you.
Please update karma
Still not quite right. It won't let denyhost append to the hosts.deny file. But service enables without selinux and I think it starts service without selinux fault but still won't let it write to file.
Still complaining about the net_conf_t versus etc_t type.
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.15-4.fc13
Jonathan what AVC are you seeing? Is denyhost trying to read net_conf_t? What file?
It's working Daniel. The only problem I have right now is my hackers aren't attacking so I have one good add to my deny.host but they won't attack so i can see a "has been denied" entry in my log. I haven't been run at since monday afternoon. GRRR. How do I karma this?
karma'd it for denyhost on testing board.
jonathan , just attach the avc's you have in audit.log.
selinux-policy-3.7.15-4.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Created attachment 402739 [details] denyhost avc's from audit.log
The problem is /etc/hosts.deny is mislabeled. restorecon /etc/hosts.deny Should set the label to net_conf_t. Do you have any idea how it got mislabeled? If you created an empty file as an administrator it would be mislabeled.
Created attachment 402975 [details] Attack ending in alert
During one of my alerts it had an option to do restorecon. I think that's what caused the mislabeling. But yes I pulled my old hosts.deny file off fedora 12 to the desktop chown'd it to me and backed it up with the rest of the data before setting up the 13 test box. I no longer get any alerts on any normal things any more. It just works. But my last attack in the attachment the message above me generated a strange alert. SELinux is preventing /usr/bin/python "getattr" access on /usr/bin/locale. Alterted showing it occured 8 times at the end of the attack about 20 attacks. Don't really care though. As long as stuff installs and runs well on beta and release that's all i'm in it for.
Might be another mislabeled file. # fixfiles restore Will run through your entire file system resetting file labels to the default.
Ok done. Thank you Mr. Walsh. I'll double check it on a another install next week.