-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/09/2013 10:27 AM, Dominick Grift wrote:
On Tue, 2013-07-09 at 21:28 +0800, Ed Greshko wrote:
> On 07/09/13 21:06, Ed Greshko wrote:
>
>
> Sorry to be responding to myself....but....
>
> It seems this AVC is the relevant one since /run is on tmpfs.
>>
>> type=AVC msg=audit(1373375040.246:775): avc: denied { write } for
>> pid=3820 comm="fail2ban-client" name="fail2ban"
dev="tmpfs" ino=28732
>> scontext=system_u:system_r:fail2ban_client_t:s0
>> tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
>
> Not being fluent in selinux.... Would this be a bug in the fail2ban
> policy module.... Or, something else?
>
yes a bug in the fail2ban policy module
either the fail2ban client checks to see if /run/fail2ban is writable or it
actually wants to create something in there ( but there is currently no
trace of the latter)
-- selinux mailing list selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
It seems that fail2ban-client is doing a check to see if it can write there
before using the socket. Seems like a bogus check which we don't audited
before, but now seems to be causing problems.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlHcKnQACgkQrlYvE4MpobMJwgCeIVcJqt4WPlR0ai0SVH+BZptt
23QAn0sDF6gF1GEjHmu9e2deoZnWoCuG
=odl6
-----END PGP SIGNATURE-----