service not starting via systemd but no AVCs are generated
Tristan Santore
tristan.santore at internexusconnect.net
Tue Jul 9 12:42:17 UTC 2013
On 09/07/13 13:29, Ed Greshko wrote:
> Hi,
>
> On F19 the service fail2ban won't start via systemd with selinux in enforcing mode.
>
> The error in the message log indicates....
>
> fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
>
> But, if you execute the command in the service file from the command line....
>
> [root at f18x log]# /usr/bin/fail2ban-client -x start
> 2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
> 2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode
>
> It starts and you can see the files created in /var/run/fail2ban
>
> [root at f18x fail2ban]# pwd
> /var/run/fail2ban
> [root at f18x fail2ban]# ls
> fail2ban.pid fail2ban.sock
>
>
> And if you put selinux in permissive mode....
>
> [root at f18x fail2ban]# pwd
> /var/run/fail2ban
> [root at f18x fail2ban]# ls
> [root at f18x fail2ban]# setenforce 0
> [root at f18x fail2ban]# systemctl start fail2ban
> [root at f18x fail2ban]# ls
> fail2ban.pid fail2ban.sock
>
> So it is running with selinux placed in permissive mode.....
>
> But, no AVC are ever thrown to the audit log.
>
> How to figure out what is the culprit?
>
>
>
Firstly, as I do not have a F19 handy at the moment, did you try
restorecon ? Secondly you might have to disable don't audit using
semodule -DB to get audit messages.
Then you should see some denials, if fail2ban has a don't audit option
in the policy.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
More information about the selinux
mailing list