fail2ban with ipset fails when selinux enforceing?
Dominick Grift
dominick.grift at gmail.com
Mon Sep 16 22:27:42 UTC 2013
On Mon, 2013-09-16 at 23:15 +0100, Charles Bradshaw wrote:
> I'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
>
> I am configuring ipset as an addition to fail2ban which I have had working for some time.
>
> I have this fail2ban-fixes.te compiled and installed:
> module fail2ban-fixes 1.02;
>
> # created using:
> # cat /var/log/audit/audit.log | audit2allow -m local > local.te
> # and moving local.te here.
> #
> # Modification:
> # 1.00 May 28 2013 fail2ban_client_t
> # 1.01 Jun 15 2013 logrotate_t
> # 1.02 Sep 16 2013 fail2ban_t
>
> # 1.00 - allow fail2ban client access to http logs
> #
> require {
> type httpd_log_t;
> type fail2ban_var_run_t;
> type fail2ban_client_t;
> class di31.7.144.66r { read write search };
> }
>
> #============= fail2ban_client_t ==============
> allow fail2ban_client_t fail2ban_var_run_t:dir write;
> allow fail2ban_client_t httpd_log_t:dir read;
> allow fail2ban_client_t httpd_log_t:dir search;
>
> # 1.01 - allow fail2ban logrotate
> #
> require {
> type logrotate_t;
> type fail2ban_client_exec_t;
> class file { read execute open };
> }
>
> #============= logrotate_t ==============
> allow logrotate_t fail2ban_client_exec_t:file { read execute };
>
> # 1.02 allow fail2ban access to ipset NOT WORKING when enforcing !
> #
> require {
> type fail2ban_t;
> class netlink_socket { bind create getattr };
> class capability net_admin;
> }
>
> #============= fail2ban_t ==============
> allow fail2ban_t self:netlink_socket { bind create getattr };
> allow fail2ban_t self:capability net_admin;
>
> All of the above have been created using audit2allow.
>
> The last block of the above, 'fail2ban_t', is necessary to get ipset to work the previous were
> necessary to allow the fail2ban client.
>
> As long as I am in permissive mode there are NO failed records in /var/log/audit/audit.log and
> 'nothing to do' reported by audit2allow.
>
> The ipset command is:
> ipset --test fail2ban-forum 198.143.143.5 || ipset --add fail2ban-forum 198.143.143.5
> and the correct entry is made to the hash:ip set fail2ban-forum. (that is as long as we are permissive)
>
> However, when enforcing is enabled the fail2ban.log contains errors like this:
> 2013-09-16 21:32:24,750 fail2ban.actions.action: ERROR ipset --test fail2ban-forum 198.143.143.5 || ipset --add fail2ban-forum 198.143.143.5 returned 100
>
> I can, of course, execute the ipset commands as root when enforcing.
>
> Here's the problem:
> There is nothing in /var/log/audit/audit.log or /var/log/messages to diagnose the nature of the error!
>
> Where is the bug? selinux or ipset or somewhere else?
> How do I debug the problem?
>
> Any clues much appreciated. I am cross posting this to the fail2ban list.
Some events are silently prevented by SELinux using rules with the
dontaudit keyword.
You can build the policy without those "dontaudit" rules inserted:
semodule -DB
Then you can reproduce your issues, and any event that were previously
silently prevented will now be exposed in audit.log
To build the policy with the "dontaudit" rules re-inserted:
semodule -B
silently preventing events is generally done for good reason. However,
everyone once in a while we get "dontaudit-happy", and add dontaudit
rules that we really shouldnt add. I guess were all just human after
all...
>
> TIA Charles Bradshaw
>
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
More information about the selinux
mailing list