677674 – allow ident requests by sshd/libwrap

Bug 677674 - allow ident requests by sshd/libwrap

Summary: allow ident requests by sshd/libwrap

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	14
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-15 14:47 UTC by Jan "Yenya" Kasprzak
Modified:	2011-02-24 20:53 UTC (History)
CC List:	2 users (show)
Fixed In Version:	selinux-policy-3.9.7-31.fc14
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-02-24 20:53:59 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jan "Yenya" Kasprzak 2011-02-15 14:47:49 UTC

Description of problem:
When ident requests are allowed in TCP wrappers config (/etc/hosts.{allow,deny}), SELinux blocks the requests. I have seen it with sshd, but I suspect other users of libwrap can be affected as well.

Version-Release number of selected component (if applicable):
selinux-policy-3.9.7-29.fc14.noarch
tcp_wrappers-libs-7.6-59.fc14.x86_64
openssh-server-5.5p1-24.fc14.2.x86_64

How reproducible:
100 %

Steps to Reproduce:
1. Install F14, configure ssh server, enable it in iptables.
2. echo "sshd: ALL@ALL >> /etc/hosts.allow"
3. connect to the ssh server (telnet f14-host.mydomain 22)
4. tail /var/log/audit/audit.log | audit2allow
  
Actual results:
#============= sshd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     sshd_forward_ports, allow_ypbind

allow sshd_t auth_port_t:tcp_socket name_connect;

Expected results:
No AVCs should be logged.

Additional info:
I don't think any of the booleans suggested by audit2allow apply (I don't want to allow port forwarding, and I don't run ypbind).

Comment 1 Miroslav Grepl 2011-02-16 16:23:36 UTC

Dan,
maybe we could add a new boolean for this

tunable_policy(`allow_use_tcp_wrapper',`
   corenet_tcp_connect_auth_port(sshd_t)
')

which could be used also for other domains.

Comment 2 Daniel Walsh 2011-02-16 19:31:54 UTC

How about adding to init.te


tunable_policy(`daemon_use_tcp_wrapper',`
   corenet_tcp_connect_auth_port(daemon)
')

Comment 3 Miroslav Grepl 2011-02-17 08:52:08 UTC

Good idea. Fixed in selinux-policy-3.9.7-31.fc14

Comment 4 Jan "Yenya" Kasprzak 2011-02-21 11:49:05 UTC

Works for me, thanks!

Comment 5 Fedora Update System 2011-02-21 20:28:22 UTC

selinux-policy-3.9.7-31.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14

Comment 6 Miroslav Grepl 2011-02-21 20:49:03 UTC

Jan,
could you update the karma. Thank you.

Comment 7 Fedora Update System 2011-02-22 04:53:56 UTC

selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.9.7-31.fc14

Comment 8 Fedora Update System 2011-02-24 20:53:20 UTC

selinux-policy-3.9.7-31.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.