This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 865190 - selinux denies denyhosts write access to /usr/share/denyhosts/data
selinux denies denyhosts write access to /usr/share/denyhosts/data
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: denyhosts (Show other bugs)
17
All Linux
unspecified Severity low
: ---
: ---
Assigned To: Jason Tibbitts
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-10 20:31 EDT by Todd Thomas
Modified: 2012-10-11 11:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-11 11:25:18 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Todd Thomas 2012-10-10 20:31:37 EDT
Description of problem:
After installing and configuring denyhosts (DH) the service must be enabled. When you try to start DH, an SELinux Alert is displayed. These are the details:
SELinux is preventing /usr/bin/python2.7 from create access on the directory data.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow python2.7 to have create access on the data directory
Then you need to change the label on data
Do
# semanage fcontext -a -t FILE_TYPE 'data'
where FILE_TYPE is one of the following: denyhosts_var_lock_t. 
Then execute: 
restorecon -v 'data'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that python2.7 should be allowed create access on the data directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep denyhosts.py /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:denyhosts_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                data [ dir ]
Source                        denyhosts.py
Source Path                   /usr/bin/python2.7
Port                          <Unknown>
Host                          power.ptest.us
Source RPM Packages           python-2.7.3-7.2.fc17.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.10.0-149.fc17.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     power.ptest.us
Platform                      Linux power.ptest.us 3.5.4-2.fc17.x86_64 #1 SMP
                              Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64
Alert Count                   3
First Seen                    2012-10-09 00:01:37 CDT
Last Seen                     2012-10-09 00:08:21 CDT
Local ID                      74248b5e-aa97-4487-bbba-2ce3ce7ff0a3

Raw Audit Messages
type=AVC msg=audit(1349759301.377:5468): avc:  denied  { create } for  pid=15284 comm="denyhosts.py" name="data" scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir


type=SYSCALL msg=audit(1349759301.377:5468): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=16c5980 a1=1ff a2=383d5b39c8 a3=6168732f7273752f items=0 ppid=1 pid=15284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=denyhosts.py exe=/usr/bin/python2.7 subj=system_u:system_r:denyhosts_t:s0 key=(null)

Hash: denyhosts.py,denyhosts_t,usr_t,dir,create

audit2allow

#============= denyhosts_t ==============
#!!!! This avc is allowed in the current policy

allow denyhosts_t usr_t:dir create;

audit2allow -R

#============= denyhosts_t ==============
#!!!! This avc is allowed in the current policy

allow denyhosts_t usr_t:dir create;
---------------------------


Version-Release number of selected component (if applicable):
denyhosts.noarch   2.6-26.fc17   @fedora

How reproducible:
Was not duplicated. 

Steps to Reproduce:
1. Install DH
yum -y install denyhosts

2. Configure with these options:
$ sudo vi /etc/denyhosts.conf
---
SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
PURGE_DENY = 12w 
BLOCK_SERVICE  = sshd
DENY_THRESHOLD_INVALID = 5
DENY_THRESHOLD_VALID = 10
DENY_THRESHOLD_ROOT = 5
DENY_THRESHOLD_RESTRICTED = 1
WORK_DIR = /usr/share/denyhosts/data
SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES
HOSTNAME_LOOKUP=YES
LOCK_FILE = /var/lock/subsys/denyhosts
ADMIN_EMAIL = me@domain.tld
SMTP_HOST = localhost
SMTP_PORT = 25
SMTP_FROM = DenyHosts <root@domain.tld>
SMTP_SUBJECT = DenyHosts Report
SYSLOG_REPORT=YES
AGE_RESET_VALID=5d
AGE_RESET_ROOT=25d
AGE_RESET_RESTRICTED=25d
AGE_RESET_INVALID=10d
RESET_ON_SUCCESS = yes
DAEMON_LOG = /var/log/denyhosts
DAEMON_SLEEP = 30s
DAEMON_PURGE = 1h
SYNC_SERVER = http://xmlrpc.denyhosts.net:9911
SYNC_INTERVAL = 2h
SYNC_UPLOAD = yes
SYNC_DOWNLOAD = yes
SYNC_DOWNLOAD_THRESHOLD = 3
SYNC_DOWNLOAD_RESILIENCY = 5h
---

3. Start the DH Service
sudo systemctl start denyhosts.service

  
Actual results:
AVC denial message is displayed:
The Source process: /usr/bin/python2.7
Attempted this access: create
On this directory: data

Expected results:
DH starts as a service without error and runs per design.

Additional info:
This fixes the problem:
sudo chcon -R -t denyhosts_var_lib_t /usr/share/denyhosts

But it should just be worked out of the system.
---

Also, grift, of the freenode IRC channel suggests that DH shouldn't be saving data in '/usr/share/denyhosts/data' but rather in '/var/lib/denyhosts/data' per RH design standards.
Comment 1 Dominick Grift 2012-10-11 09:01:34 EDT
Now i see it

you have misconfigured denyhosts:

above you note:

WORK_DIR = /usr/share/denyhosts/data

This is wrong and should be set to:

WORK_DIR = /var/lib/denyhosts/data

So this bug report can probably be closed
Comment 2 Jason Tibbitts 2012-10-11 11:25:18 EDT
The Fedora package definitely doesn't put anything in /usr/share/denyhosts by default.  If you changed the configuration, you're responsible for making sure selinux matches; this is always the case.  If you installed denyhosts from source, you are seeing the upstream default for WORK_DIR and you'd need to change it.  But then I don't see why you'd be reporting a bug against the denyhosts package at all in that case.

Just triple checked by bringing up an F17 VM with selinux enabled and installing the denyhosts package.  It starts fine.

Note You need to log in before you can comment on or make changes to this bug.