Bug 817115 - fail2ban is not allowed to read the passwd file
fail2ban is not allowed to read the passwd file
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
17
x86_64 Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-27 14:20 EDT by Göran Uddeborg
Modified: 2012-05-08 00:21 EDT (History)
1 user (show)

See Also:
Fixed In Version: selinux-policy-3.10.0-121.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-05-08 00:21:53 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 2012-04-27 14:20:16 EDT
Description of problem:
During my gradual F17 upgrade, fail2ban stopped working.  It turns out it tries to read the /etc/passwd file, but isn't allowed.

Version-Release number of selected component (if applicable):
fail2ban-0.8.4-28.fc17.noarch
selinux-policy-targeted-3.10.0-118.fc17.noarch


How reproducible:
Every time

Steps to Reproduce:
1. systemctl start fail2ban.service
  
Actual results:
Error message from systemctl and this backtrace in /var/log/messages:

Apr 27 19:32:58 mimmi fail2ban[19415]: Startar fail2ban: Traceback (most recent call last):
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 567, in <module>
Apr 27 19:32:58 mimmi fail2ban[19415]: main()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 549, in main
Apr 27 19:32:58 mimmi fail2ban[19415]: known_paths = addusersitepackages(known_paths)
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 278, in addusersitepackages
Apr 27 19:32:58 mimmi fail2ban[19415]: user_site = getusersitepackages()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 253, in getusersitepackages
Apr 27 19:32:58 mimmi fail2ban[19415]: user_base = getuserbase() # this will also set USER_BASE
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/site.py", line 243, in getuserbase
Apr 27 19:32:58 mimmi fail2ban[19415]: USER_BASE = get_config_var('userbase')
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 520, in get_config_var
Apr 27 19:32:58 mimmi fail2ban[19415]: return get_config_vars().get(name)
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 424, in get_config_vars
Apr 27 19:32:58 mimmi fail2ban[19415]: _CONFIG_VARS['userbase'] = _getuserbase()
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 182, in _getuserbase
Apr 27 19:32:58 mimmi fail2ban[19415]: return env_base if env_base else joinuser("~", ".local")
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/sysconfig.py", line 169, in joinuser
Apr 27 19:32:58 mimmi fail2ban[19415]: return os.path.expanduser(os.path.join(*args))
Apr 27 19:32:58 mimmi fail2ban[19415]: File "/usr/lib64/python2.7/posixpath.py", line 260, in expanduser
Apr 27 19:32:58 mimmi fail2ban[19415]: userhome = pwd.getpwuid(os.getuid()).pw_dir
Apr 27 19:32:58 mimmi fail2ban[19415]: KeyError: 'getpwuid(): uid not found: 0'
Apr 27 19:32:58 mimmi fail2ban[19415]: [MISSLYCKADES]
Apr 27 19:32:58 mimmi systemd[1]: fail2ban.service: control process exited, code=exited status=1
Apr 27 19:32:58 mimmi systemd[1]: Unit fail2ban.service entered failed state.


Expected results:
A running fail2ban server.

Additional info:
Entering permissive mode and starting fail2ban gives the following AVC:s

time->Fri Apr 27 19:56:27 2012
type=SYSCALL msg=audit(1335549387.605:22665): arch=c000003e syscall=2 success=yes exit=4 a0=7f87063c46ca a1=80000 a2=1b6 a3=238 items=0 ppid=20496 pid=20501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_client_t:s0 key=(null)
type=AVC msg=audit(1335549387.605:22665): avc:  denied  { open } for  pid=20501 comm="fail2ban-client" name="passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file
type=AVC msg=audit(1335549387.605:22665): avc:  denied  { read } for  pid=20501 comm="fail2ban-client" name="passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file
----
time->Fri Apr 27 19:56:27 2012
type=SYSCALL msg=audit(1335549387.607:22666): arch=c000003e syscall=5 success=yes exit=0 a0=4 a1=7fff8b60fab0 a2=7fff8b60fab0 a3=0 items=0 ppid=20496 pid=20501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_client_t:s0 key=(null)
type=AVC msg=audit(1335549387.607:22666): avc:  denied  { getattr } for  pid=20501 comm="fail2ban-client" path="/etc/passwd" dev=dm-0 ino=4310009 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=unconfined_u:object_r:passwd_file_t:s0 tclass=file
Comment 1 Daniel Walsh 2012-04-27 16:07:44 EDT
Fixed in selinux-policy-3.10.0-120.fc17
Comment 2 Fedora Update System 2012-05-04 15:52:48 EDT
selinux-policy-3.10.0-121.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-121.fc17
Comment 3 Fedora Update System 2012-05-04 18:16:29 EDT
Package selinux-policy-3.10.0-121.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-121.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-7313/selinux-policy-3.10.0-121.fc17
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2012-05-08 00:21:53 EDT
selinux-policy-3.10.0-121.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.