service not starting via systemd but no AVCs are generated

[Ed Greshko]

On 07/09/13 21:33, Tristan Santore wrote:
> That appears to be a bug. It should allow:
> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>
> Not so sure why it would want to access admin_home_t though.
>
>
> Create a policy with that line in. And yes, it is a bug. Because
> /var/run/fail2ban.*                                all files
> system_u:object_r:fail2ban_var_run_t:s0 is labelled.
> I haven't got fail2ban installed here, but it should allow it to create
> the pid file and socket. You might find after that the access to the
> socket also gets blocked. So fix the one issue, then check the audit log
> again.
>
> Make sure you please file a bug on bugzilla.redhat.com against the
> selinux-policy package.

OK, I went ahead and did the usual

grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban

and it now starts in enforcing mode.

I don't use fail2ban myself.  I was just helping someone else.

Now, to write the bugzilla.  

Thanks,
Ed

-- 
The only thing worse than a poorly asked question is a cryptic answer.