service not starting via systemd but no AVCs are generated
Ed Greshko
Ed.Greshko at greshko.com
Tue Jul 9 13:55:29 UTC 2013
On 07/09/13 21:33, Tristan Santore wrote:
> That appears to be a bug. It should allow:
> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>
> Not so sure why it would want to access admin_home_t though.
>
>
> Create a policy with that line in. And yes, it is a bug. Because
> /var/run/fail2ban.* all files
> system_u:object_r:fail2ban_var_run_t:s0 is labelled.
> I haven't got fail2ban installed here, but it should allow it to create
> the pid file and socket. You might find after that the access to the
> socket also gets blocked. So fix the one issue, then check the audit log
> again.
>
> Make sure you please file a bug on bugzilla.redhat.com against the
> selinux-policy package.
OK, I went ahead and did the usual
grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban
and it now starts in enforcing mode.
I don't use fail2ban myself. I was just helping someone else.
Now, to write the bugzilla.
Thanks,
Ed
--
The only thing worse than a poorly asked question is a cryptic answer.
More information about the selinux
mailing list