service not starting via systemd but no AVCs are generated
Ed Greshko
Ed.Greshko at greshko.com
Tue Jul 9 14:09:48 UTC 2013
On 07/09/13 22:02, Tristan Santore wrote:
> On 09/07/13 14:55, Ed Greshko wrote:
>> On 07/09/13 21:33, Tristan Santore wrote:
>>> That appears to be a bug. It should allow:
>>> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>>>
>>> Not so sure why it would want to access admin_home_t though.
>>>
>>>
>>> Create a policy with that line in. And yes, it is a bug. Because
>>> /var/run/fail2ban.* all files
>>> system_u:object_r:fail2ban_var_run_t:s0 is labelled.
>>> I haven't got fail2ban installed here, but it should allow it to create
>>> the pid file and socket. You might find after that the access to the
>>> socket also gets blocked. So fix the one issue, then check the audit log
>>> again.
>>>
>>> Make sure you please file a bug on bugzilla.redhat.com against the
>>> selinux-policy package.
>> OK, I went ahead and did the usual
>>
>> grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban
>>
>> and it now starts in enforcing mode.
>>
>> I don't use fail2ban myself. I was just helping someone else.
>>
>> Now, to write the bugzilla.
>>
>> Thanks,
>> Ed
>>
> I am not sure the root home dir search should be allowed. Might be worth
> throwing that one out and just trying the one line I gave you.
>
> Anyway, glad it works.
FYI....
There appears to be a bugzilla already open on this issue....
https://bugzilla.redhat.com/show_bug.cgi?id=975695
Thanks,
Ed
--
The only thing worse than a poorly asked question is a cryptic answer.
More information about the selinux
mailing list