Description of problem: After installing and configuring denyhosts (DH) the service must be enabled. When you try to start DH, an SELinux Alert is displayed. These are the details: SELinux is preventing /usr/bin/python2.7 from create access on the directory data. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow python2.7 to have create access on the data directory Then you need to change the label on data Do # semanage fcontext -a -t FILE_TYPE 'data' where FILE_TYPE is one of the following: denyhosts_var_lock_t. Then execute: restorecon -v 'data' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that python2.7 should be allowed create access on the data directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep denyhosts.py /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:denyhosts_t:s0 Target Context system_u:object_r:usr_t:s0 Target Objects data [ dir ] Source denyhosts.py Source Path /usr/bin/python2.7 Port <Unknown> Host power.ptest.us Source RPM Packages python-2.7.3-7.2.fc17.x86_64 Target RPM Packages Policy RPM selinux-policy-3.10.0-149.fc17.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name power.ptest.us Platform Linux power.ptest.us 3.5.4-2.fc17.x86_64 #1 SMP Wed Sep 26 21:58:50 UTC 2012 x86_64 x86_64 Alert Count 3 First Seen 2012-10-09 00:01:37 CDT Last Seen 2012-10-09 00:08:21 CDT Local ID 74248b5e-aa97-4487-bbba-2ce3ce7ff0a3 Raw Audit Messages type=AVC msg=audit(1349759301.377:5468): avc: denied { create } for pid=15284 comm="denyhosts.py" name="data" scontext=system_u:system_r:denyhosts_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir type=SYSCALL msg=audit(1349759301.377:5468): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=16c5980 a1=1ff a2=383d5b39c8 a3=6168732f7273752f items=0 ppid=1 pid=15284 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=denyhosts.py exe=/usr/bin/python2.7 subj=system_u:system_r:denyhosts_t:s0 key=(null) Hash: denyhosts.py,denyhosts_t,usr_t,dir,create audit2allow #============= denyhosts_t ============== #!!!! This avc is allowed in the current policy allow denyhosts_t usr_t:dir create; audit2allow -R #============= denyhosts_t ============== #!!!! This avc is allowed in the current policy allow denyhosts_t usr_t:dir create; --------------------------- Version-Release number of selected component (if applicable): denyhosts.noarch 2.6-26.fc17 @fedora How reproducible: Was not duplicated. Steps to Reproduce: 1. Install DH yum -y install denyhosts 2. Configure with these options: $ sudo vi /etc/denyhosts.conf --- SECURE_LOG = /var/log/secure HOSTS_DENY = /etc/hosts.deny PURGE_DENY = 12w BLOCK_SERVICE = sshd DENY_THRESHOLD_INVALID = 5 DENY_THRESHOLD_VALID = 10 DENY_THRESHOLD_ROOT = 5 DENY_THRESHOLD_RESTRICTED = 1 WORK_DIR = /usr/share/denyhosts/data SUSPICIOUS_LOGIN_REPORT_ALLOWED_HOSTS=YES HOSTNAME_LOOKUP=YES LOCK_FILE = /var/lock/subsys/denyhosts ADMIN_EMAIL = me SMTP_HOST = localhost SMTP_PORT = 25 SMTP_FROM = DenyHosts <root> SMTP_SUBJECT = DenyHosts Report SYSLOG_REPORT=YES AGE_RESET_VALID=5d AGE_RESET_ROOT=25d AGE_RESET_RESTRICTED=25d AGE_RESET_INVALID=10d RESET_ON_SUCCESS = yes DAEMON_LOG = /var/log/denyhosts DAEMON_SLEEP = 30s DAEMON_PURGE = 1h SYNC_SERVER = http://xmlrpc.denyhosts.net:9911 SYNC_INTERVAL = 2h SYNC_UPLOAD = yes SYNC_DOWNLOAD = yes SYNC_DOWNLOAD_THRESHOLD = 3 SYNC_DOWNLOAD_RESILIENCY = 5h --- 3. Start the DH Service sudo systemctl start denyhosts.service Actual results: AVC denial message is displayed: The Source process: /usr/bin/python2.7 Attempted this access: create On this directory: data Expected results: DH starts as a service without error and runs per design. Additional info: This fixes the problem: sudo chcon -R -t denyhosts_var_lib_t /usr/share/denyhosts But it should just be worked out of the system. --- Also, grift, of the freenode IRC channel suggests that DH shouldn't be saving data in '/usr/share/denyhosts/data' but rather in '/var/lib/denyhosts/data' per RH design standards.
Now i see it you have misconfigured denyhosts: above you note: WORK_DIR = /usr/share/denyhosts/data This is wrong and should be set to: WORK_DIR = /var/lib/denyhosts/data So this bug report can probably be closed
The Fedora package definitely doesn't put anything in /usr/share/denyhosts by default. If you changed the configuration, you're responsible for making sure selinux matches; this is always the case. If you installed denyhosts from source, you are seeing the upstream default for WORK_DIR and you'd need to change it. But then I don't see why you'd be reporting a bug against the denyhosts package at all in that case. Just triple checked by bringing up an F17 VM with selinux enabled and installing the denyhosts package. It starts fine.