On 09/07/13 14:06, Ed Greshko wrote:
type=AVC msg=audit(1373375036.941:752): avc: denied { search } for
pid=3806 comm="fail2ban-client" name="root" dev="dm-1"
ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375036.946:753): avc: denied { rlimitinh } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375036.946:753): avc: denied { siginh } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375036.946:753): avc: denied { noatsecure } for pid=3808
comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375037.385:754): avc: denied { write } for pid=3808
comm="setroubleshootd" name=".dbenv.lock" dev="dm-1"
ino=1048913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1373375037.454:755): avc: denied { write } for pid=3806
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375037.599:759): avc: denied { search } for pid=3814
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
type=AVC msg=audit(1373375038.114:760): avc: denied { write } for pid=3814
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375038.257:764): avc: denied { search } for pid=3816
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
type=AVC msg=audit(1373375038.872:765): avc: denied { write } for pid=3816
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375039.013:769): avc: denied { search } for pid=3818
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
type=AVC msg=audit(1373375039.578:770): avc: denied { write } for pid=3818
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375039.716:774): avc: denied { search } for pid=3820
comm="fail2ban-client" name="root" dev="dm-1" ino=1310721
scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0
tclass=dir
type=AVC msg=audit(1373375040.246:775): avc: denied { write } for pid=3820
comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732
scontext=system_u:system_r:fail2ban_client_t:s0
tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
That appears to be a
bug. It should allow:
allow fail2ban_client_t fail2ban_var_run_t:dir write;
Not so sure why it would want to access admin_home_t though.
Create a policy with that line in. And yes, it is a bug. Because
/var/run/fail2ban.* all files
system_u:object_r:fail2ban_var_run_t:s0 is labelled.
I haven't got fail2ban installed here, but it should allow it to create
the pid file and socket. You might find after that the access to the
socket also gets blocked. So fix the one issue, then check the audit log
again.
Make sure you please file a bug on
bugzilla.redhat.com against the
selinux-policy package.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore(a)internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore(a)fedoraproject.org