Samenvatting: SELinux belet /usr/bin/jwhois "read write" toegang on /var/cache/jwhois/jwhois.db. Gedetailleerde omschrijving: SELinux belette toegang gevraagd door whois. Het wordt niet verwacht dat deze toegang voor whois nodig is en deze toegang kan een indringing poging aangeven. Het is ook mogelijk dat de specifieke versie of configuratie van de toepassing het veroorzaakt om extra toegang aan te vragen. Toegang toestaan: Je kunt een locale tactiek module maken om deze toegang toe te staan - zie FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Dien a.u.b. een fout rapport in. Extra informatie: Bron context system_u:system_r:fail2ban_t:s0 Doel context system_u:object_r:var_t:s0 Doel objecten /var/cache/jwhois/jwhois.db [ file ] Bron whois Bron pad /usr/bin/jwhois Poort <Onbekend> Host (verwijderd) Bron RPM pakketten jwhois-4.0-22.fc14 Doel RPM pakketten jwhois-4.0-22.fc14 Tactiek RPM selinux-policy-3.9.7-7.fc14 SELinux aangezet True Tactiek type targeted Afdwingende mode Enforcing Plug-in naam catchall Host naam (verwijderd) Platform Linux (verwijderd) 2.6.35.6-48.fc14.i686.PAE #1 SMP Fri Oct 22 15:27:53 UTC 2010 i686 i686 Aantal waarschuwingen 6 Eerst gezien op za 06 nov 2010 19:27:43 CET Laatst gezien op zo 07 nov 2010 13:53:12 CET Locale ID 8e711283-c344-4618-a1ee-d957014ecd9d Regel nummers Onbewerkte audit boodschappen node=(verwijderd) type=AVC msg=audit(1289134392.313:953): avc: denied { read write } for pid=26575 comm="whois" name="jwhois.db" dev=dm-0 ino=7212213 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file node=(verwijderd) type=SYSCALL msg=audit(1289134392.313:953): arch=40000003 syscall=5 success=no exit=-13 a0=9e0b8a0 a1=42 a2=1b0 a3=9e0b858 items=0 ppid=26574 pid=26575 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=475 sgid=475 fsgid=475 tty=(none) ses=4294967295 comm="whois" exe="/usr/bin/jwhois" subj=system_u:system_r:fail2ban_t:s0 key=(null) Hash String generated from catchall,whois,fail2ban_t,var_t,file,read,write audit2allow suggests: #============= fail2ban_t ============== allow fail2ban_t var_t:file { read write };
You can allow it for now using # chcon -R -t fail2ban_var_lib_t /var/cache/jwhois We will need to add a label for that directory.
Miroslav, I actually started to write policy for this app, but I think the app is so nuts that I think we should fix the app. It seems to want to be setgid and cache its results in /var/cache/jwhois, like there are that many apps running jwhois, and getting duplicate results. Why does jwhois need a cache?
Unfortunately, some domain name registries have braindead configured WHOIS servers, which just allow e.g. less WHOIS queries (or are somewhat slow), which is a serious issue if you've many users performing many WHOIS queries. So there are cases where the cache is really needed. I think the reporter is using fail2ban together with jwhois and caching to avoid getting blackisted by the WHOIS servers. From what I know, the cache is not enabled by default and it also should not be enabled by default - that never was case so far. http://pkgs.fedoraproject.org/gitweb/?p=jwhois.git;a=blob;f=jwhois.spec;h=0a6fdcba477d723184ae6f977be3226e55636d47;hb=c0892802c58f6d2bd05df2b761146758e8c0e5fa
Huh? 1 %{?!with_cache: %define with_cache 1} Doesn't this mean if with_cache is not defined, then turn it on?
I indeed using fail2ban. No idea if its working together with jwhois. Can be.
(In reply to comment #4) > Huh? > > 1 %{?!with_cache: %define with_cache 1} > > Doesn't this mean if with_cache is not defined, then turn it on? Thanks for heads up, this is not intended and it'll be fixed!
jwhois-4.0-23.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/jwhois-4.0-23.fc14
jwhois-4.0-23.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update jwhois'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/jwhois-4.0-23.fc14
jwhois-4.0-23.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.