Bug#463835: leafnode fails when used with SELinux

Ritesh Raj Sarraf Sun, 03 Feb 2008 10:21:58 -0800

Package: leafnode
Version: 1.11.6-5
Severity: important

When using leafnode with SELinux enabled, clients are not able to
connect to the leafnode server. I get a permission denied error even
though the permissions are correct.
I tried using audit2why and adding the privileges to SELinux but still
it doesn't work.


[EMAIL PROTECTED]:~$ telnet localhost nntp
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Warning: cannot create /var/spool/news/ with proper ownership:
Permission denied
Make sure you run this program as user root or news.
Connection closed by foreign host.
[EMAIL PROTECTED]:~$ ls -l /var/spool/
total 68
drwxr-xr-x  2 root        root        4096 2007-10-20 00:32 anacron/
drwxr-xr-x  3 root        root        4096 2007-10-20 01:00 cron/
drwx--x---  3 root        lp          4096 2008-01-29 13:56 cups/
drwxr-xr-x  4 root        root        4096 2007-11-13 20:49 cups-pdf/
drwxr-x---  5 Debian-exim Debian-exim 4096 2008-01-23 23:03 exim4/
drwxr-xr-x  2 root        root        4096 2007-08-06 08:32 lintian/
lrwxrwxrwx  1 root        root           7 2007-10-19 23:54 mail ->
.../mail/
drwsr-xr-x 10 news        news        4096 2008-01-19 06:37 news/
drwxr-xr-x  3 root        root        4096 2007-10-20 15:16 openoffice/

This is what syslog has:

Feb  3 07:17:34 learner leafnode[2625]: connect from 127.0.0.1
(127.0.0.1)
Feb  3 07:17:34 learner leafnode[2625]: error: cannot execute
/usr/sbin/leafnode: Permission denied
Feb  3 07:17:39 learner leafnode[2642]: connect from 127.0.0.1
(127.0.0.1)
Feb  3 07:17:39 learner leafnode[2642]: error: cannot execute
/usr/sbin/leafnode: Permission denied
Feb  3 07:18:01 learner CRON[2725]: pam_unix(cron:session): session
opened for user news by (uid=0)
Feb  3 07:18:01 learner /USR/SBIN/CRON[2726]: (news) CMD (if [ -x
/etc/news/leafnode/do-fetch-news ]; then
/etc/news/leafnode/do-fetch-news; fi)


This is what audit.log has to say:

type=DAEMON_START msg=audit(1201993247.241:6825) auditd start,
ver=1.5.3, format=raw, auid=4294967295 pid=3773 res=success, auditd
pid=3773
type=CONFIG_CHANGE msg=audit(1201993247.359:34): audit_enabled=1 old=1
by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1201993247.359:35): audit_enabled=1 old=1
by auid=4294967295 res=1
type=CONFIG_CHANGE msg=audit(1201993247.383:36): audit_backlog_limit=320
old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1
type=CONFIG_CHANGE msg=audit(1201993247.384:37): audit_backlog_limit=320
old=64 by auid=4294967295 res=1
type=AVC msg=audit(1202003093.120:38): avc:  denied  { execute } for
pid=2061 comm="tcpd" name="leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:t
cpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202003101.403:39): avc:  denied  { execute } for
pid=2093 comm="tcpd" name="leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:t
cpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=MAC_POLICY_LOAD msg=audit(1202003207.061:40): policy loaded
auid=4294967295
type=AVC msg=audit(1202003211.012:41): avc:  denied  { execute_no_trans
} for  pid=2479 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2
ino=5792924 scontext=
system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC msg=audit(1202003254.763:42): avc:  denied  { execute_no_trans
} for  pid=2625 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2
ino=5792924 scontext=
system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=AVC msg=audit(1202003259.774:43): avc:  denied  { execute_no_trans
} for  pid=2642 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2
ino=5792924 scontext=
system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0
tclass=file
type=MAC_POLICY_LOAD msg=audit(1202003330.277:44): policy loaded
auid=4294967295
type=AVC msg=audit(1202003332.753:45): avc:  denied  { read } for
pid=2906 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sys
tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202003337.764:46): avc:  denied  { read } for
pid=2922 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sys
tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202003690.414:47): avc:  denied  { read } for
pid=9359 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sys
tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202004289.697:48): avc:  denied  { read } for
pid=14079 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sy
stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202004889.582:49): avc:  denied  { read } for
pid=17498 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sy
stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202005489.621:50): avc:  denied  { read } for
pid=22424 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:sy
stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202006089.760:51): avc:  denied  { read } for
pid=28102 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202006689.644:52): avc:  denied  { read } for
pid=32595 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202007289.631:53): avc:  denied  { read } for
pid=3134 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file
type=AVC msg=audit(1202007889.790:54): avc:  denied  { read } for
pid=5895 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924
scontext=system_u:system_r:tcpd_t:s0
tcontext=system_u:object_r:sbin_t:s0 tclass=file


BTW, I'm running leafnode from inetd


Ritesh

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (600, 'unstable'), (150, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.23-systap (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages leafnode depends on:
ii  debconf [debconf-2.0]       1.5.18       Debian configuration management sy
ii  libc6                       2.7-6        GNU C Library: Shared libraries
ii  libpcre3                    7.4-1        Perl 5 Compatible Regular Expressi
ii  logrotate                   3.7.1-3      Log rotation utility
ii  openbsd-inetd [inet-superse 0.20050402-6 The OpenBSD Internet Superserver
ii  tcpd                        7.6.dbs-14   Wietse Venema's TCP wrapper utilit

leafnode recommends no packages.

-- debconf information:
* leafnode/update-groups: false
* leafnode/tcpd: true
* leafnode/network: permanent
  leafnode/purge: false
* leafnode/server: news.gmane.org



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#463835: leafnode fails when used with SELinux

Reply via email to