service not starting via systemd but no AVCs are generated
Tristan Santore
tristan.santore at internexusconnect.net
Tue Jul 9 14:02:08 UTC 2013
On 09/07/13 14:55, Ed Greshko wrote:
> On 07/09/13 21:33, Tristan Santore wrote:
>> That appears to be a bug. It should allow:
>> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>>
>> Not so sure why it would want to access admin_home_t though.
>>
>>
>> Create a policy with that line in. And yes, it is a bug. Because
>> /var/run/fail2ban.* all files
>> system_u:object_r:fail2ban_var_run_t:s0 is labelled.
>> I haven't got fail2ban installed here, but it should allow it to create
>> the pid file and socket. You might find after that the access to the
>> socket also gets blocked. So fix the one issue, then check the audit log
>> again.
>>
>> Make sure you please file a bug on bugzilla.redhat.com against the
>> selinux-policy package.
>
> OK, I went ahead and did the usual
>
> grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban
>
> and it now starts in enforcing mode.
>
> I don't use fail2ban myself. I was just helping someone else.
>
> Now, to write the bugzilla.
>
> Thanks,
> Ed
>
I am not sure the root home dir search should be allowed. Might be worth
throwing that one out and just trying the one line I gave you.
Anyway, glad it works.
Regards,
Tristan
--
Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore at internexusconnect.net
Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)
For Fedora related issues, please email me at:
TSantore at fedoraproject.org
More information about the selinux
mailing list