Bug 591290 - SELinux is preventing /usr/bin/python from connecting to port 9911.
Summary: SELinux is preventing /usr/bin/python from connecting to port 9911.
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 12
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
Whiteboard: setroubleshoot_trace_hash:4da55bf71f2...
: 591307 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2010-05-11 19:46 UTC by David Shuman
Modified: 2010-07-09 00:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2010-07-09 00:23:17 UTC
Type: ---

Attachments (Terms of Use)

Description David Shuman 2010-05-11 19:46:46 UTC

SELinux is preventing /usr/bin/python from connecting to port 9911.

Detailed Description:

SELinux has denied denyhosts.py from connecting to a network port 9911 which
does not have an SELinux type associated with it. If denyhosts.py should be
allowed to connect on 9911, use the semanage command to assign 9911 to a port
type that denyhosts_t can connect to (smtp_port_t).
If denyhosts.py is not supposed to connect to 9911, this could signal a
intrusion attempt.

Allowing Access:

If you want to allow denyhosts.py to connect to 9911, you can execute
semanage port -a -t PORT_TYPE -p tcp 9911
where PORT_TYPE is one of the following: smtp_port_t.

Additional Information:

Source Context                system_u:system_r:denyhosts_t:s0
Target Context                system_u:object_r:port_t:s0
Target Objects                None [ tcp_socket ]
Source                        denyhosts.py
Source Path                   /usr/bin/python
Port                          9911
Host                          (removed)
Source RPM Packages           python-2.6.2-4.fc12
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-113.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   connect_ports
Host Name                     (removed)
Platform                      Linux (removed)
                              #1 SMP Mon Apr 5 16:32:08 EDT 2010 i686 i686
Alert Count                   118
First Seen                    Thu 06 May 2010 04:36:16 AM EDT
Last Seen                     Mon 10 May 2010 10:36:33 PM EDT
Local ID                      2b28f853-c772-4c3e-99f2-361bc6f7484f
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1273545393.637:28315): avc:  denied  { name_connect } for  pid=25429 comm="denyhosts.py" dest=9911 scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

node=(removed) type=SYSCALL msg=audit(1273545393.637:28315): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bff0ee20 a2=39a10c a3=9213278 items=0 ppid=1 pid=25429 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=567 comm="denyhosts.py" exe="/usr/bin/python" subj=system_u:system_r:denyhosts_t:s0 key=(null)

Hash String generated from  connect_ports,denyhosts.py,denyhosts_t,port_t,tcp_socket,name_connect
audit2allow suggests:

#============= denyhosts_t ==============
allow denyhosts_t port_t:tcp_socket name_connect;

Comment 1 Daniel Walsh 2010-05-11 21:20:00 UTC
Why is denyhosts trying to connect to port 9911?

Comment 2 Daniel Walsh 2010-05-11 21:21:08 UTC
*** Bug 591307 has been marked as a duplicate of this bug. ***

Comment 3 David Shuman 2010-05-11 22:23:46 UTC
I am a relative newbie to Linux so I apologize in advance for what may appear to be lackluster technical savvy.  

Seems that Denyhosts maintains an upload database that contains other IP's known to attempt unauthorized SSH connections.  You can either report IP's that connect to you without authorization or download IP's that have connected to others.  This apparently is managed via connection to their server on the port in question.  This SELinux alert was not previously seen until a few days ago (I believe an update to SELinux came out then the alerts started happening).  I have run FC11 and FC12 with Denyhosts and again until a few days ago SELinux never blipped on that connection or attempt to connect on port 9911.

Comment 4 Daniel Walsh 2010-05-12 12:57:17 UTC
Fixed in selinux-policy-3.7.19-16.fc13.noarch

Note You need to log in before you can comment on or make changes to this bug.