Bug 817115 - fail2ban is not allowed to read the passwd file
Summary: fail2ban is not allowed to read the passwd file
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 17
Hardware: x86_64
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-27 18:20 UTC by Göran Uddeborg
Modified: 2012-05-08 04:21 UTC (History)
1 user (show)

Fixed In Version: selinux-policy-3.10.0-121.fc17
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-05-08 04:21:53 UTC
Type: Bug


Attachments (Terms of Use)

Description Göran Uddeborg 2012-04-27 18:20:16 UTC
Description of problem:
During my gradual F17 upgrade, fail2ban stopped working.  It turns out it tries to read the /etc/passwd file, but isn't allowed.

Version-Release number of selected component (if applicable):
fail2ban-0.8.4-28.fc17.noarch
selinux-policy-targeted-3.10.0-118.fc17.noarch


How reproducible:
Every time

Steps to Reproduce:
1. systemctl start fail2ban.service
  
Actual results:
Error message from systemctl and this backtrace in /var/log/messages:

Apr 27 19:32:58 mimmi fail2ban[19415]: Startar fail2ban: Traceback (most recent call last):
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 567, in <module>
Apr 27 19:32:58 mimmi fail2ban[19415]: main()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 549, in main
Apr 27 19:32:58 mimmi fail2ban[19415]: known_paths = addusersitepackages(known_paths)
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 278, in addusersitepackages
Apr 27 19:32:58 mimmi fail2ban[19415]: user_site = getusersitepackages()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 253, in getusersitepackages
Apr 27 19:32:58 mimmi fail2ban[19415]: user_base = getuserbase() # this will also set USER_BASE
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 243, in getuserbase
Apr 27 19:32:58 mimmi fail2ban[19415]: USER_BASE = get_config_var('userbase')
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 520, in get_config_var
Apr 27 19:32:58 mimmi fail2ban[19415]: return get_config_vars().get(name)
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 424, in get_config_vars
Apr 27 19:32:58 mimmi fail2ban[19415]: _CONFIG_VARS['userbase'] = _getuserbase()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 182, in _getuserbase
Apr 27 19:32:58 mimmi fail2ban[19415]: return env_base if env_base else joinuser("~", ".local")
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 169, in joinuser
Apr 27 19:32:58 mimmi fail2ban[19415]: return os.path.expanduser(os.path.join(*args))
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/posixpath.py", line 260, in expanduser
Apr 27 19:32:58 mimmi fail2ban[19415]: userhome = pwd.getpwuid(os.getuid()).pw_dir
Apr 27 19:32:58 mimmi fail2ban[19415]: KeyError: 'getpwuid(): uid not found: 0'
Apr 27 19:32:58 mimmi fail2ban[19415]: [MISSLYCKADES]
Apr 27 19:32:58 mimmi systemd[1]: fail2ban.service: control process exited, code=exited status=1
Apr 27 19:32:58 mimmi systemd[1]: Unit fail2ban.service entered failed state.


Expected results:
A running fail2ban server.

Additional info:
Entering permissive mode and starting fail2ban gives the following AVC:s

time->Fri Apr 27 19:56:27 2012
type=SYSCALL msg=audit(1335549387.605:22665): arch=c000003e syscall=2 success=yes exit=4 a0=7f87063c46ca a1=80000 a2=1b6 a3=238 items=0 ppid=20496 pid=20501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_client_t:s0 key=(null)
type=AVC msg=audit(1335549387.605:22665): avc:  denied  { open } for  pid=20501 comm="fail2ban-client" name="passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1335549387.605:22665): avc:  denied  { read } for  pid=20501 comm="fail2ban-client" name="passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file
----
time->Fri Apr 27 19:56:27 2012
type=SYSCALL msg=audit(1335549387.607:22666): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff8b60fab0 a2=7fff8b60fab0 a3=0 items=0 ppid=20496 pid=20501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_client_t:s0 key=(null)
type=AVC msg=audit(1335549387.607:22666): avc:  denied  { getattr } for  pid=20501 comm="fail2ban-client" path="/etc/passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file

Comment 1 Daniel Walsh 2012-04-27 20:07:44 UTC
Fixed in selinux-policy-3.10.0-120.fc17

Comment 2 Fedora Update System 2012-05-04 19:52:48 UTC
selinux-policy-3.10.0-121.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-121.fc17

Comment 3 Fedora Update System 2012-05-04 22:16:29 UTC
Package selinux-policy-3.10.0-121.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2012-05-08 04:21:53 UTC
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.