Fail2Ban
Daniel J Walsh
dwalsh at redhat.com
Fri Jun 26 12:36:26 UTC 2009
On 06/26/2009 04:41 AM, Arthur Dent wrote:
> Hello all,
>
> Following a spate of unsuccessful but irritating attempts to brute-force my
> home Fedora 9 server I decided to install fail2ban (using yum).
>
> Starting it up gave me several AVCs of two types. One example of each type is
> pasted below.
>
> Running audit2allow gave me the following policy. I have implemented the
> policy, and it works, but should it be necessary? I have googled a bit and
> found a couple of old bug reports but I'm not sure they're relevant and I
> think they have been incorporated into more recent policies anyway...
>
> policy_module(myfail2ban, 9.1.0)
>
> require {
> type iptables_t;
> type system_mail_t;
> type fail2ban_t;
> class unix_stream_socket { read write };
> }
>
> #============= iptables_t ==============
> allow iptables_t fail2ban_t:unix_stream_socket { read write };
>
> #============= system_mail_t ==============
> allow system_mail_t fail2ban_t:unix_stream_socket { read write };
>
>
> Does that look OK? Is there a bool I could have set?
>
> Thanks for your help...
>
> Mark
>
>
> 2 x AVCs
> ========
>
>
>> From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:30 2009
> Return-Path:<SELinux_Troubleshoot at mydomain.com>
> Received: from mydomain.com (mydomain.com [127.0.0.1])
> by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995
> for<root at localhost>; Thu, 25 Jun 2009 19:19:30 +0100
> Message-Id:<200906251819.n5PIJUBI003995 at mydomain.com>
> Content-Type: multipart/alternative; boundary="===============1813742656=="
> MIME-Version: 1.0
> Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read
> write" fail2ban_t.
> From: SELinux_Troubleshoot at mydomain.com
> To: root at mydomain.com
> Date: Thu, 25 Jun 2009 18:19:30 -0000
> Status: RO
> Content-Length: 10088
> Lines: 157
>
> --===============1813742656==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
>
> Summary:
>
> SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.
>
> Detailed Description:
>
> SELinux denied access requested by iptables. It is not expected that this access
> is required by iptables and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:iptables_t:s0
> Target Context unconfined_u:system_r:fail2ban_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source iptables
> Source Path /sbin/iptables
> Port<Unknown>
> Host mydomain.com
> Source RPM Packages iptables-1.4.1.1-2.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-133.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name mydomain.com
> Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
> Fri Oct 17 14:52:14 EDT 2008 i686 i686
> Alert Count 9
> First Seen Tue Jun 23 14:12:58 2009
> Last Seen Thu Jun 25 19:19:20 2009
> Local ID 8291512a-d501-4af1-9e24-25d2052bf649
> Line Numbers
>
> Raw Audit Messages
>
> node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
>
>
> --===============1813742656==--
>
>> From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:31 2009
> Return-Path:<SELinux_Troubleshoot at mydomain.com>
> Received: from mydomain.com (mydomain.com [127.0.0.1])
> by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998
> for<root at localhost>; Thu, 25 Jun 2009 19:19:31 +0100
> Message-Id:<200906251819.n5PIJVHv003998 at mydomain.com>
> Content-Type: multipart/alternative; boundary="===============0749694059=="
> MIME-Version: 1.0
> Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t)
> "read write" fail2ban_t.
> From: SELinux_Troubleshoot at mydomain.com
> To: root at mydomain.com
> Date: Thu, 25 Jun 2009 18:19:31 -0000
> Status: RO
> Content-Length: 9500
> Lines: 151
>
> --===============0749694059==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
>
>
> Summary:
>
> SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.
>
> Detailed Description:
>
> SELinux denied access requested by sendmail. It is not expected that this access
> is required by sendmail and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context unconfined_u:system_r:system_mail_t:s0
> Target Context unconfined_u:system_r:fail2ban_t:s0
> Target Objects socket [ unix_stream_socket ]
> Source sendmail
> Source Path /usr/sbin/sendmail.sendmail
> Port<Unknown>
> Host mydomain.com
> Source RPM Packages sendmail-8.14.2-4.fc9
> Target RPM Packages
> Policy RPM selinux-policy-3.3.1-133.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name mydomain.com
> Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
> Fri Oct 17 14:52:14 EDT 2008 i686 i686
> Alert Count 3
> First Seen Tue Jun 23 14:12:59 2009
> Last Seen Thu Jun 25 19:19:20 2009
> Local ID 18e4bfc0-cbb2-41a6-af2c-8b271450ed73
> Line Numbers
>
> Raw Audit Messages
>
> node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
>
> node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null)
>
>
> --===============0749694059==
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
THese are leaked file descriptors from fail2ban. They are ok to allow.
Try to upgrade to the latest fail2ban software via yum.
More information about the selinux
mailing list