service not starting via systemd but no AVCs are generated

Ed Greshko Ed.Greshko at greshko.com
Tue Jul 9 13:06:34 UTC 2013 

On 07/09/13 20:42, Tristan Santore wrote:
> On 09/07/13 13:29, Ed Greshko wrote:
>> Hi,
>>
>> On F19 the service fail2ban won't start via systemd with selinux in enforcing mode.
>>
>> The error in the message log indicates....
>>
>> fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
>>
>> But, if you execute the command in the service file from the command line....
>>
>> [root at f18x log]# /usr/bin/fail2ban-client -x start
>> 2013-07-09 18:46:10,558 fail2ban.server : INFO   Starting Fail2ban v0.8.10
>> 2013-07-09 18:46:10,559 fail2ban.server : INFO   Starting in daemon mode
>>
>> It starts and you can see the files created in /var/run/fail2ban
>>
>> [root at f18x fail2ban]# pwd
>> /var/run/fail2ban
>> [root at f18x fail2ban]# ls
>> fail2ban.pid  fail2ban.sock
>>
>>
>> And if you put selinux in permissive mode....
>>
>> [root at f18x fail2ban]# pwd
>> /var/run/fail2ban
>> [root at f18x fail2ban]# ls
>> [root at f18x fail2ban]# setenforce 0
>> [root at f18x fail2ban]# systemctl start fail2ban
>> [root at f18x fail2ban]# ls
>> fail2ban.pid  fail2ban.sock
>>
>> So it is running with selinux placed in permissive mode.....
>>
>> But, no AVC are ever thrown to the audit log.
>>
>> How to figure out what is the culprit?
>>
>>
>>
> Firstly, as I do not have a F19 handy at the moment, did you try
> restorecon ? Secondly you might have to disable don't audit using
> semodule -DB to get audit messages.
> Then you should see some denials, if fail2ban has a don't audit option
> in the policy.

I had forgotten all about the "semodule -DB" procedure ....

There are a "few" of them now generated....

type=AVC msg=audit(1373375036.941:752): avc:  denied  { search } for  pid=3806 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375036.946:753): avc:  denied  { rlimitinh } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375036.946:753): avc:  denied  { siginh } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375036.946:753): avc:  denied  { noatsecure } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
type=AVC msg=audit(1373375037.385:754): avc:  denied  { write } for  pid=3808 comm="setroubleshootd" name=".dbenv.lock" dev="dm-1" ino=1048913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
type=AVC msg=audit(1373375037.454:755): avc:  denied  { write } for  pid=3806 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375037.599:759): avc:  denied  { search } for  pid=3814 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375038.114:760): avc:  denied  { write } for  pid=3814 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375038.257:764): avc:  denied  { search } for  pid=3816 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375038.872:765): avc:  denied  { write } for  pid=3816 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375039.013:769): avc:  denied  { search } for  pid=3818 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375039.578:770): avc:  denied  { write } for  pid=3818 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
type=AVC msg=audit(1373375039.716:774): avc:  denied  { search } for  pid=3820 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
type=AVC msg=audit(1373375040.246:775): avc:  denied  { write } for  pid=3820 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
-- 
The only thing worse than a poorly asked question is a cryptic answer.

More information about the selinux mailing list