On Tue, 2013-07-09 at 14:33 +0100, Tristan Santore wrote:
On 09/07/13 14:06, Ed Greshko wrote:
> type=AVC msg=audit(1373375036.941:752): avc: denied { search } for pid=3806
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
> type=AVC msg=audit(1373375036.946:753): avc: denied { rlimitinh } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375036.946:753): avc: denied { siginh } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375036.946:753): avc: denied { noatsecure } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375037.385:754): avc: denied { write } for pid=3808
comm="setroubleshootd" name=".dbenv.lock" dev="dm-1"
ino=1048913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373375037.454:755): avc: denied { write } for pid=3806
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375037.599:759): avc: denied { search } for pid=3814
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
> type=AVC msg=audit(1373375038.114:760): avc: denied { write } for pid=3814
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375038.257:764): avc: denied { search } for pid=3816
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
> type=AVC msg=audit(1373375038.872:765): avc: denied { write } for pid=3816
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375039.013:769): avc: denied { search } for pid=3818
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
> type=AVC msg=audit(1373375039.578:770): avc: denied { write } for pid=3818
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375039.716:774): avc: denied { search } for pid=3820
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
> type=AVC msg=audit(1373375040.246:775): avc: denied { write } for pid=3820
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
That appears to be a bug. It should allow:
allow fail2ban_client_t fail2ban_var_run_t:dir write;
Not so sure why it would want to access admin_home_t though.
traverse the cwd
the command fail2ban-client was run from /root