service not starting via systemd but no AVCs are generated
Dominick Grift
dominick.grift at gmail.com
Tue Jul 9 14:25:00 UTC 2013
On Tue, 2013-07-09 at 14:33 +0100, Tristan Santore wrote:
> On 09/07/13 14:06, Ed Greshko wrote:
> > type=AVC msg=audit(1373375036.941:752): avc: denied { search } for pid=3806 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> > type=AVC msg=audit(1373375036.946:753): avc: denied { rlimitinh } for pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> > type=AVC msg=audit(1373375036.946:753): avc: denied { siginh } for pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> > type=AVC msg=audit(1373375036.946:753): avc: denied { noatsecure } for pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> > type=AVC msg=audit(1373375037.385:754): avc: denied { write } for pid=3808 comm="setroubleshootd" name=".dbenv.lock" dev="dm-1" ino=1048913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
> > type=AVC msg=audit(1373375037.454:755): avc: denied { write } for pid=3806 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> > type=AVC msg=audit(1373375037.599:759): avc: denied { search } for pid=3814 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> > type=AVC msg=audit(1373375038.114:760): avc: denied { write } for pid=3814 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> > type=AVC msg=audit(1373375038.257:764): avc: denied { search } for pid=3816 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> > type=AVC msg=audit(1373375038.872:765): avc: denied { write } for pid=3816 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> > type=AVC msg=audit(1373375039.013:769): avc: denied { search } for pid=3818 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> > type=AVC msg=audit(1373375039.578:770): avc: denied { write } for pid=3818 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> > type=AVC msg=audit(1373375039.716:774): avc: denied { search } for pid=3820 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> > type=AVC msg=audit(1373375040.246:775): avc: denied { write } for pid=3820 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> That appears to be a bug. It should allow:
> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>
> Not so sure why it would want to access admin_home_t though.
traverse the cwd
the command fail2ban-client was run from /root
More information about the selinux
mailing list