On 07/09/13 21:33, Tristan Santore wrote:
That appears to be a bug. It should allow:
allow fail2ban_client_t fail2ban_var_run_t:dir write;
Not so sure why it would want to access admin_home_t though.
Create a policy with that line in. And yes, it is a bug. Because
/var/run/fail2ban.* all files
system_u:object_r:fail2ban_var_run_t:s0 is labelled.
I haven't got fail2ban installed here, but it should allow it to create
the pid file and socket. You might find after that the access to the
socket also gets blocked. So fix the one issue, then check the audit log
again.
Make sure you please file a bug on
bugzilla.redhat.com against the
selinux-policy package.
OK, I went ahead and did the usual
grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban
and it now starts in enforcing mode.
I don't use fail2ban myself. I was just helping someone else.
Now, to write the bugzilla.
Thanks,
Ed
--
The only thing worse than a poorly asked question is a cryptic answer.