Package: leafnode Version: 1.11.6-5 Severity: important When using leafnode with SELinux enabled, clients are not able to connect to the leafnode server. I get a permission denied error even though the permissions are correct. I tried using audit2why and adding the privileges to SELinux but still it doesn't work.
[EMAIL PROTECTED]:~$ telnet localhost nntp Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. Warning: cannot create /var/spool/news/ with proper ownership: Permission denied Make sure you run this program as user root or news. Connection closed by foreign host. [EMAIL PROTECTED]:~$ ls -l /var/spool/ total 68 drwxr-xr-x 2 root root 4096 2007-10-20 00:32 anacron/ drwxr-xr-x 3 root root 4096 2007-10-20 01:00 cron/ drwx--x--- 3 root lp 4096 2008-01-29 13:56 cups/ drwxr-xr-x 4 root root 4096 2007-11-13 20:49 cups-pdf/ drwxr-x--- 5 Debian-exim Debian-exim 4096 2008-01-23 23:03 exim4/ drwxr-xr-x 2 root root 4096 2007-08-06 08:32 lintian/ lrwxrwxrwx 1 root root 7 2007-10-19 23:54 mail -> .../mail/ drwsr-xr-x 10 news news 4096 2008-01-19 06:37 news/ drwxr-xr-x 3 root root 4096 2007-10-20 15:16 openoffice/ This is what syslog has: Feb 3 07:17:34 learner leafnode[2625]: connect from 127.0.0.1 (127.0.0.1) Feb 3 07:17:34 learner leafnode[2625]: error: cannot execute /usr/sbin/leafnode: Permission denied Feb 3 07:17:39 learner leafnode[2642]: connect from 127.0.0.1 (127.0.0.1) Feb 3 07:17:39 learner leafnode[2642]: error: cannot execute /usr/sbin/leafnode: Permission denied Feb 3 07:18:01 learner CRON[2725]: pam_unix(cron:session): session opened for user news by (uid=0) Feb 3 07:18:01 learner /USR/SBIN/CRON[2726]: (news) CMD (if [ -x /etc/news/leafnode/do-fetch-news ]; then /etc/news/leafnode/do-fetch-news; fi) This is what audit.log has to say: type=DAEMON_START msg=audit(1201993247.241:6825) auditd start, ver=1.5.3, format=raw, auid=4294967295 pid=3773 res=success, auditd pid=3773 type=CONFIG_CHANGE msg=audit(1201993247.359:34): audit_enabled=1 old=1 by auid=4294967295 subj=system_u:system_r:auditd_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1201993247.359:35): audit_enabled=1 old=1 by auid=4294967295 res=1 type=CONFIG_CHANGE msg=audit(1201993247.383:36): audit_backlog_limit=320 old=64 by auid=4294967295 subj=system_u:system_r:auditctl_t:s0 res=1 type=CONFIG_CHANGE msg=audit(1201993247.384:37): audit_backlog_limit=320 old=64 by auid=4294967295 res=1 type=AVC msg=audit(1202003093.120:38): avc: denied { execute } for pid=2061 comm="tcpd" name="leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:t cpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202003101.403:39): avc: denied { execute } for pid=2093 comm="tcpd" name="leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:t cpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=MAC_POLICY_LOAD msg=audit(1202003207.061:40): policy loaded auid=4294967295 type=AVC msg=audit(1202003211.012:41): avc: denied { execute_no_trans } for pid=2479 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext= system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202003254.763:42): avc: denied { execute_no_trans } for pid=2625 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext= system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202003259.774:43): avc: denied { execute_no_trans } for pid=2642 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext= system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=MAC_POLICY_LOAD msg=audit(1202003330.277:44): policy loaded auid=4294967295 type=AVC msg=audit(1202003332.753:45): avc: denied { read } for pid=2906 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sys tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202003337.764:46): avc: denied { read } for pid=2922 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sys tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202003690.414:47): avc: denied { read } for pid=9359 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sys tem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202004289.697:48): avc: denied { read } for pid=14079 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sy stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202004889.582:49): avc: denied { read } for pid=17498 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sy stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202005489.621:50): avc: denied { read } for pid=22424 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:sy stem_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202006089.760:51): avc: denied { read } for pid=28102 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202006689.644:52): avc: denied { read } for pid=32595 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202007289.631:53): avc: denied { read } for pid=3134 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file type=AVC msg=audit(1202007889.790:54): avc: denied { read } for pid=5895 comm="tcpd" path="/usr/sbin/leafnode" dev=dm-2 ino=5792924 scontext=system_u:system_r:tcpd_t:s0 tcontext=system_u:object_r:sbin_t:s0 tclass=file BTW, I'm running leafnode from inetd Ritesh -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (990, 'testing'), (600, 'unstable'), (150, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.23-systap (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages leafnode depends on: ii debconf [debconf-2.0] 1.5.18 Debian configuration management sy ii libc6 2.7-6 GNU C Library: Shared libraries ii libpcre3 7.4-1 Perl 5 Compatible Regular Expressi ii logrotate 3.7.1-3 Log rotation utility ii openbsd-inetd [inet-superse 0.20050402-6 The OpenBSD Internet Superserver ii tcpd 7.6.dbs-14 Wietse Venema's TCP wrapper utilit leafnode recommends no packages. -- debconf information: * leafnode/update-groups: false * leafnode/tcpd: true * leafnode/network: permanent leafnode/purge: false * leafnode/server: news.gmane.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]