Fail2ban and SELinux
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 21 19:48:51 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
max bianco wrote:
> On Thu, Apr 17, 2008 at 1:37 PM, max bianco <maximilianbianco at gmail.com> wrote:
>> On Thu, Apr 17, 2008 at 1:22 PM, max bianco <maximilianbianco at gmail.com> wrote:
>> >
>> > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> > >
>> > > -----BEGIN PGP SIGNED MESSAGE-----
>> > > Hash: SHA1
>> > >
>> > > max bianco wrote:
>> > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>> > > >> -----BEGIN PGP SIGNED MESSAGE-----
>> > > >> Hash: SHA1
>> > > >>
>> > > >>
>> > > >>
>> > > >> max wrote:
>> > > >> > Daniel J Walsh wrote:
>> > > >> >> -----BEGIN PGP SIGNED MESSAGE-----
>> > > >> >> Hash: SHA1
>> > > >> >>
>> > > >> >> max bianco wrote:
>> > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote
>> > > >> >>> access to my box but it had been mentioned recently so I decided to
>> > > >> >>> test it out. I installed it a few days ago but didn't do anything with
>> > > >> >>> it till last night. I had forgotten about it but I was perusing log
>> > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui
>> > > >> >>> and sure enough it wasn't running. I tried to start it and got
>> > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the
>> > > >> >>> service is unrecognized). No problem , i expected as much when I saw
>> > > >> >>> the AVC's in my log files but I always try things more than once so I
>> > > >> >>> tried to start it a second time and this time and every time after it
>> > > >> >>> started without generating a denial. Is this because I manually
>> > > >> >>> started the service? That doesn't make sense because then it would
>> > > >> >>> have worked the first time as well but it didn't. I see that there is
>> > > >> >>> a policy module for fail2ban but if the module is in place then
>> > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its
>> > > >> >>> working? I am learning my way around SELinux but I don't feel
>> > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do
>> > > >> >>> I start?
>> > > >> >>>
>> > > >> >>> Max
>> > > >> >>>
>> > > >> >>> --
>> > > >> >>> fedora-selinux-list mailing list
>> > > >> >>> fedora-selinux-list at redhat.com
>> > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> > > >> >> Was there a policy upgrade during this time? Problem might have been
>> > > >> >> fixed.
>> > > >> >>
>> > > >> > The time between my first manual attempt to start fail2ban,which
>> > > >> > generated an SELinux Denial, and the second, which started the service,
>> > > >> > was about 30 seconds. I checked the logs again today this is a portion
>> > > >> > of the output from yesterday and today :
>> > > >> >
>> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
>> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
>> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
>> > > >> >> event#012host=localhost.localdomain type=AVC
>> > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530
>> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>> > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no
>> > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
>> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
>> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
>> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
>> > > >> >> event#012host=localhost.localdomain type=AVC
>> > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530
>> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>> > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no
>> > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
>> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>> > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing
>> > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete
>> > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144
>> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>> > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t).
>> > > >> >> For complete SELinux messages. run sealert -l
>> > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d
>> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
>> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
>> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
>> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
>> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR]
>> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
>> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing
>> > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For
>> > > >> >> complete SELinux messages. run sealert -l
>> > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit
>> > > >> >> event#012host=localhost.localdomain type=AVC
>> > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506
>> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
>> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>> > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no
>> > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506
>> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>> > > >> >
>> > > >> > At this point Fail2ban reports it is running .That is only a small
>> > > >> > portion of what is generated but maybe it can give you an idea.
>> > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection
>> > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is
>> > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is
>> > > >> > still crashing, it will generate an AVC when I try to run it then all
>> > > >> > the output is lost before I can read the AVC. As i have been flipping
>> > > >> > back and forth typing this, checking logs, restarting
>> > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up
>> > > >> > and running like nothing happened. Now that SETroubleshoot is running I
>> > > >> > expected to find additional AVC's from today but the last one is from
>> > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21
>> > > >> > like it does (if we count the one I got the first time i tried to start
>> > > >> > fail2ban manually)
>> > > >> >
>> > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff
>> > > >> > went haywire on me.
>> > > >> >
>> > > >> >
>> > > >> > Summary:
>> > > >> >
>> > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
>> > > >> >
>> > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > >> >
>> > > >> > (rpm_t).
>> > > >> >
>> > > >> > Detailed Description:
>> > > >> >
>> > > >> > SELinux denied access requested by fail2ban-server. It is not expected
>> > > >> > that this
>> > > >> > access is required by fail2ban-server and this access may signal an
>> > > >> > intrusion
>> > > >> > attempt. It is also possible that the specific version or configuration
>> > > >> > of the
>> > > >> > application is causing it to require additional access.
>> > > >> >
>> > > >> > Allowing Access:
>> > > >> >
>> > > >> > You can generate a local policy module to allow this access - see FAQ
>> > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>> > > >> > disable
>> > > >> > SELinux protection altogether. Disabling SELinux protection is not
>> > > >> > recommended.
>> > > >> > Please file a bug report
>> > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> > > >> > against this package.
>> > > >> >
>> > > >> > Additional Information:
>> > > >> >
>> > > >> > Source Context system_u:system_r:fail2ban_t:s0
>> > > >> > Target Context system_u:system_r:rpm_t:s0
>> > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000
>> > > >> >
>> > > >> > 00000000000000000000000000000000000000000000000000
>> > > >> >
>> > > >> > 00000000000000000000000000000000000000000000000000
>> > > >> >
>> > > >> > 00000000000000000000000000000000000000000000000000
>> > > >> > 0000000000000000 [ unix_stream_socket ]
>> > > >> > Source fail2ban-server
>> > > >> > Source Path /usr/bin/python
>> > > >> > Port <Unknown>
>> > > >> > Host localhost.localdomain
>> > > >> > Source RPM Packages python-2.5.1-15.fc8
>> > > >> > Target RPM Packages
>> > > >> > Policy RPM selinux-policy-3.0.8-95.fc8
>> > > >> > Selinux Enabled True
>> > > >> > Policy Type targeted
>> > > >> > MLS Enabled True
>> > > >> > Enforcing Mode Enforcing
>> > > >> > Plugin Name catchall
>> > > >> > Host Name localhost.localdomain
>> > > >> > Platform Linux localhost.localdomain
>> > > >> > 2.6.24.4-64.fc8 #1 SMP
>> > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
>> > > >> > Alert Count 21
>> > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT
>> > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT
>> > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f
>> > > >> > Line Numbers
>> > > >> >
>> > > >> > Raw Audit Messages
>> > > >> >
>> > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc:
>> > > >> > denied { connectto } for pid=6314 comm="fail2ban-server"
>> > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > >> > scontext=system_u:system_r:fail2ban_t:s0
>> > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > >> >
>> > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107):
>> > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e
>> > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
>> > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server"
>> > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > >> >
>> > > >> >
>> > > >> > Now that I have SETroubleshoot running i tried the sealert command
>> > > >> > suggested in the log files :
>> > > >> >
>> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>> > > >> > failed to connect to server: Connection refused
>> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>> > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not
>> > > >> > found
>> > > >> >
>> > > >> > Ran it twice, second time it worked.
>> > > >> > I hope i'm not confusing anyone , i'll repost the order of events if
>> > > >> > need be. I hesitate to file a bug when it could just be me making rookie
>> > > >> > mistakes. I will try to reproduce again tomorrow on this box and my
>> > > >> > other F8 to see what I can see but if you have any advice it would be
>> > > >> > gratefully received.
>> > > >> >
>> > > >> >
>> > > >> > Max
>> > > >> >
>> > > >> Please send me your /var/log/audit/audit.log
>> > > >>
>> > > >> -----BEGIN PGP SIGNATURE-----
>> > > >> Version: GnuPG v1.4.9 (GNU/Linux)
>> > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>> > > >>
>> > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW
>> > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c
>> > > >> =ayhr
>> > > >> -----END PGP SIGNATURE-----
>> > > >>
>> > > > Looks like several drafts of my mail hit the list, sorry about that
>> > > > but I had to revise once setroubleshoot started working. Strange, i'll
>> > > > have to look into it later or maybe its just gmail or thunderbird(time
>> > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box
>> > > > once I get back to it. Different F8 box(i686), installed fail2ban,
>> > > > started service and generated AVC(almost identical) but SETroubleshoot
>> > > > doesn't crash like it does on the x86_64 box at least not so far. All
>> > > > of the following is from the i686 box , a portion of audit.log follows
>> > > > this AVC:
>> > > >
>> > > >
>> > > > Summary:
>> > > >
>> > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
>> > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > (rpm_t).
>> > > >
>> > > > Detailed Description:
>> > > >
>> > > > SELinux denied access requested by fail2ban-server. It is not expected that this
>> > > > access is required by fail2ban-server and this access may signal an intrusion
>> > > > attempt. It is also possible that the specific version or configuration of the
>> > > > application is causing it to require additional access.
>> > > >
>> > > > Allowing Access:
>> > > >
>> > > > You can generate a local policy module to allow this access - see FAQ
>> > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>> > > > SELinux protection altogether. Disabling SELinux protection is not recommended.
>> > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>> > > > against this package.
>> > > >
>> > > > Additional Information:
>> > > >
>> > > > Source Context system_u:system_r:fail2ban_t
>> > > > Target Context system_u:system_r:rpm_t
>> > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000
>> > > > 00000000000000000000000000000000000000000000000000
>> > > > 00000000000000000000000000000000000000000000000000
>> > > > 00000000000000000000000000000000000000000000000000
>> > > > 0000000000000000 [ unix_stream_socket ]
>> > > > Source fail2ban-server
>> > > > Source Path /usr/bin/python
>> > > > Port <Unknown>
>> > > > Host localhost.localdomain
>> > > > Source RPM Packages python-2.5.1-15.fc8
>> > > > Target RPM Packages
>> > > > Policy RPM selinux-policy-3.0.8-95.fc8
>> > > > Selinux Enabled True
>> > > > Policy Type targeted
>> > > > MLS Enabled True
>> > > > Enforcing Mode Enforcing
>> > > > Plugin Name catchall
>> > > > Host Name localhost.localdomain
>> > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
>> > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon
>> > > > Alert Count 26
>> > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT
>> > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT
>> > > > Local ID ede0cda2-138a-4222-936b-289297d95cee
>> > > > Line Numbers
>> > > >
>> > > > Raw Audit Messages
>> > > >
>> > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc:
>> > > > denied { connectto } for pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > >
>> > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47):
>> > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0
>> > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0
>> > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>> > > > comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > I am posting a portion of the audit.log relating to fail2ban as the
>> > > > entire log is quite large. If you want the whole thing unedited then I
>> > > > will attach it. I think this should be more than enough, i didn't
>> > > > parse it , just a simple copy and paste. I don't know what you may or
>> > > > may not find relevant here so it goes from a couple of entries before
>> > > > fail2ban is mentioned and a few after the last mention of fail2ban.
>> > > > Most of the entries look identical and end in key=(null) maybe i could
>> > > > just dismiss it but i take all the AVC's seriously until I know
>> > > > better:
>> > > >
>> > > >
>> > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
>> > > > (hostname=?, addr=?, terminal=? res=success)'
>> > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for
>> > > > pid=3045 comm="fail2ban-server"
>> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> > > > scontext=system_u:system_r:fail2ban_t:s0
>> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>> > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102
>> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>> > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper"
>> > > > (hostname=?, addr=?, terminal=? res=success)'
>> > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper"
>> > > > (hostname=?, addr=?, terminal=? res=success)'
>> > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
>> > > > (hostname=?, addr=?, terminal=? res=success)'
>> > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?,
>> > > > addr=?, terminal=pts/1 res=success)'
>> > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?,
>> > > > terminal=pts/1 res=success)'
>> > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500
>> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>> > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?,
>> > > > terminal=pts/1 res=success)'
>> > > >
>> > > > Thanks for the help,
>> > > >
>> > > This is either a leaked file descriptor or gam_server running as rpm_t.
>> > >
>> > > ps -eZ | grep rpm_t
>> > >
>> > > failtoban should not be trying to communicate with a service running
>> > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban
>> > > should work.
>> > >
>> > >
>> > [root at localhost ~]# ps -eZ | grep rpm_t
>> > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
>> > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server
>> >
>> > I'll kill the gam_server as you suggest. I will try same on x86_64 box
>> > to see if its the same problem. If its not then i will post the
>> > audit.log from it that I promised yesterday. Either way I'll post back
>> > once i get in front of other f8 box.
>> >
>> > Thanks again,
>> >
>> > Max
>> >
>> I'm not in front of the other box yet but I killed the other instance
>> of gam_server and reran the command.
>>
>> [root at localhost ~]# ps -eZ | grep rpm_t
>> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
>> system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server
>>
>> it came back right away so I killed it again and rechecked several
>> times and now it appears to have finally died.
>> [root at localhost ~]# kill 4074
>>
>>
>> [root at localhost ~]# ps -eZ | grep rpm_t
>> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
>>
>>
>> Max
>>
> Gmail is buggy for some reason. I' ll try and keep this coherent. On
> the i686 box, after I found and killed gam_server( i had to do it
> twice for it to stay dead) I then got a couple more AVC's (posting
> AVC's and observations follow):
>
> SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t).
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this access
> is required by iptables and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:iptables_t
> Target Context system_u:system_r:fail2ban_t
> Target Objects socket [ unix_stream_socket ]
> Source iptables
> Source Path /sbin/iptables
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages iptables-1.3.8-6.fc8
> Target RPM Packages
> Policy RPM selinux-policy-3.0.8-95.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
> Sat Mar 29 09:54:46 EDT 2008 i686 athlon
> Alert Count 12
> First Seen Thu 17 Apr 2008 01:47:41 PM EDT
> Last Seen Thu 17 Apr 2008 02:19:47 PM EDT
> Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
> denied { read write } for pid=4622 comm="iptables"
> path="socket:[35210]" dev=sockfs ino=35210
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
> denied { read write } for pid=4622 comm="iptables"
> path="socket:[35227]" dev=sockfs ino=35227
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
> denied { read write } for pid=4622 comm="iptables"
> path="socket:[35683]" dev=sockfs ino=35683
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77):
> arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998
> a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables"
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
>
These are leaked file descriptors from fail2ban and should be reported
to them.
fcntl(fd, F_SETFD, FD_CLOSEXEC)
Should be called on all open file descriptors.
>
>
> Ok. That one is about iptables. Soon as I started fail2ban , the log
> showed 3 AVC's as above. Stop Fail2ban and three more generated. Did
> it twice to see if it was consistent. Started fail2ban twice, each
> time I started it generated 3 AVC's as above, same when I stopped it ,
> generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban,
> within a couple of minutes(can't be more exact didn't have a stop
> watch) saw a new AVC(only after it stops, observations follow AVC):
>
> Summary:
>
> SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t).
>
> Detailed Description:
>
> SELinux denied access requested by gam_server. It is not expected that this
> access is required by gam_server and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:fail2ban_t
> Target Context system_u:object_r:fs_t
> Target Objects / [ filesystem ]
> Source gam_server
> Source Path <Unknown>
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages
> Target RPM Packages filesystem-2.4.11-1.fc8
> Policy RPM selinux-policy-3.0.8-95.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
> Sat Mar 29 09:54:46 EDT 2008 i686 athlon
> Alert Count 2
> First Seen Thu 17 Apr 2008 01:52:02 PM EDT
> Last Seen Thu 17 Apr 2008 02:20:17 PM EDT
> Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc:
> denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0
> ino=2 scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
>
>
> Ok. After I stop Fail2ban i get one instance of this AVC related to
> gam_server. I started and stopped Fail2ban twice so two AVC's related
> to gam_server, once after each time I stop fail2ban. No I don't think
> anyone is stupid, just being clear for my sake and yours. Also ran :
> ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW
> had to kill gam_server twice on x86_64 box for it to stay dead, same
> as on i686. The x86_64 box is the same for the iptables AVC. Same
> ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when
> stopping fail2ban. The difference is that the AVC generated after you
> stop fail2ban is related to sendmail(observations follow AVC):
>
> Summary:
>
> SELinux is preventing sendmail (system_mail_t) "read write" to socket
> (fail2ban_t).
>
> Detailed Description:
>
> SELinux denied access requested by sendmail. It is not expected that this access
> is required by sendmail and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:system_mail_t:s0
> Target Context system_u:system_r:fail2ban_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source sendmail
> Source Path /usr/sbin/sendmail.sendmail
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages sendmail-8.14.2-1.fc8
> Target RPM Packages
> Policy RPM selinux-policy-3.0.8-95.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
> Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
> Alert Count 2
> First Seen Thu 17 Apr 2008 08:28:37 PM EDT
> Last Seen Thu 17 Apr 2008 08:30:34 PM EDT
> Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482
> Line Numbers
>
> Raw Audit Messages
>
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
> denied { read write } for pid=3345 comm="sendmail"
> path="socket:[22805]" dev=sockfs ino=22805
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
> denied { read write } for pid=3345 comm="sendmail"
> path="socket:[22823]" dev=sockfs ino=22823
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
> denied { read write } for pid=3345 comm="sendmail"
> path="socket:[23071]" dev=sockfs ino=23071
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31):
> arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0
> a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0 key=(null)
Leaked file descriptor
>
> Checked processes on x86_64 no sendmail was or is running. Service
> isn't usually running and isn't now.
> Looks like a policy bug or both boxes have been tampered with, you
> tell me, Sulphur is here so they will get nuked soon enough. The
> sendmail bug may explain the strange behavior I have seen out of
> Thunderbird and Gmail but sendmail AVC is only generated on x86_64
> box, which incidentally is where I saw wierd behavior out of
> Thunderbird but that may be separate issue, I don't think there is
> enough evidence yet to make that conclusion despite my feeling that it
> is related, i'll just have to keep my eyes peeled. I would file a bug
> report but I'd like to understand this first so I might suggest, even
> if I can't code, a fix but if you have to explain it ...the bug would
> end up being read by someone that subscribes to this list so.....let
> me know, I will file it if you ask me to. If logs, etc are needed I
> will supply them but if its a genuine bug it should be easily
> reproducible in under 30 minutes. I checked for processes running as
> fs_t and system_mail_t before, during, and after starting/stopping
> fail2ban on x86_64 box, I don't see anything. I feel like i am
> forgetting something, anyway let me know about the bug report or if
> you want more logs etc...
>
> Thanks,
>
> Max
The problems reported are in fail2ban except for the gam_server problem.
I will add fixes in the next update for Fedora 8 selinux-policy-3.0.8-101
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkgM76MACgkQrlYvE4MpobNrGwCfXl9F8ypMLfql6is9LjjDzfkm
vY8AmgI2f9X78n0y2sWr81R//JIfKUgh
=9y0s
-----END PGP SIGNATURE-----
More information about the selinux
mailing list