fail2ban + ipset problem?
I'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
I am installing and configuring ipset as an addition to fail2ban, which
I have been running successfully for some time.
I expected some complaints from selinux so I have set permissive mode
and the first run of fail2ban produces this audit.log when ipset tries
to run to insert a ban:
type=AVC msg=audit(1379280989.345:21513): avc: denied { create } for
pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
I create fail2ban.te:
# cat /var/log/audit/audit.log | audit2allow -m fail2ban > fail2ban.te
Which looks like this:
module fail2ban 1.0;
require {
type fail2ban_t;
class netlink_socket { bind create getattr };
}
#============= fail2ban_t ==============
allow fail2ban_t self:netlink_socket { bind create getattr };
Foe the record I have done these:
# checkmodule -M -m -o fail2ban.mod fail2ban.te
checkmodule: loading policy configuration from fail2ban.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 15) to fail2ban.mod
# semodule_package -o fail2ban.pp -m fail2ban.mod
But the install FAILS:
# semodule --verbose -i fail2ban.pp
Attempting to install module 'fail2ban.pp':
Ok: return value of 0.
Committing changes:
libsepol.print_missing_requirements: fail2ban-client's global
requirements were not met: type/attribute fail2ban_var_run_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: FaiI'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
I am installing and configuring ipset as an addition to fail2ban, which
I have been running successfuly for some time.
I expected some complaints from selinux so I have set permissive mode
and the first run of fail2ban produces this audit.log:
type=AVC msg=audit(1379280989.345:21513): avc: denied { create } for
pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
I create fail2ban.te:
# cat /var/log/audit/audit.log | audit2allow -m local > fail2ban.te
Which looks like this:
module fail2ban 1.0;
require {
type fail2ban_t;
class netlink_socket { bind create getattr };
}
#============= fail2ban_t ==============
allow fail2ban_t self:netlink_socket { bind create getattr };
Foe the record I have done these:
# checkmodule -M -m -o fail2ban.mod fail2ban.te
checkmodule: loading policy configuration from fail2ban.te
checkmodule: policy configuration loaded
checkmodule: writing binary representation (version 15) to fail2ban.mod
# semodule_package -o fail2ban.pp -m fail2ban.mod
But this FAILS:
# semodule --verbose -i fail2ban.pp
Attempting to install module 'fail2ban.pp':
Ok: return value of 0.
Committing changes:
libsepol.print_missing_requirements: fail2ban-client's global
requirements were not met: type/attribute fail2ban_var_run_t
libsemanage.semanage_link_sandbox: Link packages failed
semodule: Failed!
However:
# seinfo --type=fail2ban_var_run_t
fail2ban_var_run_t
I see no requirement for fail2ban_var_run_t in fail2ban.te!
I have previously compiled and installed this:
module fail2ban-client 1.0;
require {
type httpd_log_t;
type fail2ban_var_run_t;
type fail2ban_client_t;
class dir { read write search };
}
#============= fail2ban_client_t ==============
allow fail2ban_client_t fail2ban_var_run_t:dir write;
allow fail2ban_client_t httpd_log_t:dir read;
allow fail2ban_client_t httpd_log_t:dir search;
Which compiles and installs without a problem!
What am I missing?
TIA Charles Bradshawled!
However seinfo says:
# seinfo --type=fail2ban_var_run_t
fail2ban_var_run_t
I don't see any requirement for fail2ban_var_run_t in the above!
I have previously installed fail2ban-client which allows fail2ban to
monitor /var/log/httpd/access_log and write to its own log:
module fail2ban-client 1.0;
require {
type httpd_log_t;
type fail2ban_var_run_t;
type fail2ban_client_t;
class dir { read write search };
}
#============= fail2ban_client_t ==============
allow fail2ban_client_t fail2ban_var_run_t:dir write;
allow fail2ban_client_t httpd_log_t:dir read;
allow fail2ban_client_t httpd_log_t:dir search;
Which compiles and installs without a problem!
NB fail2ban-client.te contains type fail2ban_var_run_t
What am I missing?
TIA Charles Bradshaw