fail2ban + ipset problem?

Dominick Grift dominick.grift at gmail.com
Mon Sep 16 07:16:00 UTC 2013 

On Sun, 2013-09-15 at 23:44 +0100, Charles Bradshaw wrote:
<snip>
> 
> type=AVC msg=audit(1379280989.345:21513): avc:  denied  { create } for
> pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
<snip>

> libsepol.print_missing_requirements: fail2ban-client's global
> requirements were not met: type/attribute fail2ban_var_run_t
> libsemanage.semanage_link_sandbox: Link packages failed
> semodule:  FaiI'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE

<snip>

> I see no requirement for fail2ban_var_run_t in fail2ban.te!
> 
> I have previously compiled and installed this:
> module fail2ban-client 1.0;
> 
> require {
> 	type httpd_log_t;
> 	type fail2ban_var_run_t;
> 	type fail2ban_client_t;
> 	class dir { read write search };
> }
> 
> #============= fail2ban_client_t ==============
> allow fail2ban_client_t fail2ban_var_run_t:dir write;
> allow fail2ban_client_t httpd_log_t:dir read;
> allow fail2ban_client_t httpd_log_t:dir search;
> 

hehe yes lets bisect this for a second, shall we?

1. So the base fail2ban module has some bugs
2. On of the bugs is that it doesnt support the fail2ban client, and so
you aptly create a module called fail2ban-client to add support for the
client which requires type fail2ban_var_run_t ( a type that is declared
in the base fail2ban module ), so far so good
3. then later things start to go wrong. You identify another bug in the
base fail2ban module and decide to create a module called fail2ban with
the fix

Now the latest fail2ban module fails. But the message says it fails on
the fail2ban-client

So whats going on here? well its pretty simple.

Your latest module has the same name as the base fail2ban module, so by
trying to install it you are trying to overwrite the existing fail2ban
module. Which has the fail2ban_var_run_t type declared. Thus it cannot
install it because the fail2ban-client module depends on it!

so it fails and tells you: hey i cant do this because the
fail2ban-client module depends on type fail2ban_var_run_t type which
doesnt exist

So the fix is to give your latest fail2ban mod a unique name so that it
doesnt overwrite the base fail2ban module (example myfail2ban).

Think modular, think dependency. Theres also this concept of
"optional_policy" that helps address dependency issues in modular policy

basically policy in optional_policy blocks are only used if possible ,
and if not possible will just be ignored (e.g. there wont be an hard
dependency on policy inside the optional policy blocks)

More information about the selinux mailing list