service not starting via systemd but no AVCs are generated
Dominick Grift
dominick.grift at gmail.com
Tue Jul 9 13:36:40 UTC 2013
On Tue, 2013-07-09 at 20:29 +0800, Ed Greshko wrote:
> Hi,
>
> On F19 the service fail2ban won't start via systemd with selinux in enforcing mode.
>
> The error in the message log indicates....
>
> fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
>
reproduce the issue without "dontaudit" rules:
semodule -DB
reproduce issue
see audit.log for avc denials
semodule -B
> But, if you execute the command in the service file from the command line....
>
> [root at f18x log]# /usr/bin/fail2ban-client -x start
> 2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
> 2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode
>
> It starts and you can see the files created in /var/run/fail2ban
>
> [root at f18x fail2ban]# pwd
> /var/run/fail2ban
> [root at f18x fail2ban]# ls
> fail2ban.pid fail2ban.sock
>
>
> And if you put selinux in permissive mode....
>
> [root at f18x fail2ban]# pwd
> /var/run/fail2ban
> [root at f18x fail2ban]# ls
> [root at f18x fail2ban]# setenforce 0
> [root at f18x fail2ban]# systemctl start fail2ban
> [root at f18x fail2ban]# ls
> fail2ban.pid fail2ban.sock
>
> So it is running with selinux placed in permissive mode.....
>
> But, no AVC are ever thrown to the audit log.
>
> How to figure out what is the culprit?
>
>
>
More information about the selinux
mailing list