On 09/07/13 13:29, Ed Greshko wrote:
Hi,
On F19 the service fail2ban won't start via systemd with selinux in enforcing mode.
The error in the message log indicates....
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for
writing
But, if you execute the command in the service file from the command line....
[root@f18x log]# /usr/bin/fail2ban-client -x start
2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode
It starts and you can see the files created in /var/run/fail2ban
[root@f18x fail2ban]# pwd
/var/run/fail2ban
[root@f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
And if you put selinux in permissive mode....
[root@f18x fail2ban]# pwd
/var/run/fail2ban
[root@f18x fail2ban]# ls
[root@f18x fail2ban]# setenforce 0
[root@f18x fail2ban]# systemctl start fail2ban
[root@f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
So it is running with selinux placed in permissive mode.....
But, no AVC are ever thrown to the audit log.
How to figure out what is the culprit?
Firstly, as I do not have a F19 handy at the moment, did you try
restorecon ? Secondly you might have to disable don't audit using
semodule -DB to get audit messages.
Then you should see some denials, if fail2ban has a don't audit option
in the policy.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org