F15: fail2ban not in iptables status

[Arthur Dent]

On Fri, 2011-06-03 at 16:25 +0200, sguazt wrote:
> On Fri, Jun 3, 2011 at 3:49 PM, Arthur Dent <misc.lists at blueyonder.co.uk> wrote:
> > On Fri, 2011-06-03 at 09:08 -0400, Mike Williams wrote:
> >> On Fri, Jun 3, 2011 at 4:05 AM, sguazt <marco.guazzone at gmail.com>
> >> wrote:
> >>         On Sun, May 29, 2011 at 3:30 PM, sguazt
> >>         <marco.guazzone at gmail.com> wrote:
> >>
> >>         Hi,
> >>         Still have problems. Under /var/log/messages I've this
> >>         message:
> >>
> >>         fail2ban.comm   : WARNING Invalid command: ['add',
> >>         'ssh-iptables', 'auto']
> >>
> >>         Don't know if it is related to my problem.
> >>
> >>         Anyway, I am the only one that has this problem (or that runs
> >>         fail2ban ;) )?
> >
> > Yes I had this exact problem.
> >
> > It's an SELinux problem. Put SELinux into permissive mode
> > # setenforce 0
> > and then restart F2B. It should start up, but you'll get a bunch of SEL
> > AVCs. From these you can build a policy and turn SEL back to Enforcing.
> >
> > F2B and SEL have always caused me problems. With the help of the selinux
> > mailing list I once tried to get to the bottom of it. Now I just give up
> > and create a policy allowing everything that audit2allow says it
> > needs...
> >
> 
> Mike and Arthur, thank you for your feedback.
> 
> Under F14, if I'm not wrong, SEL did not cause problems to fail2ban.
> 
> Arthur, I don't know how to create such a policy. Could you tell me how?

I don't know if this is the best way, but this is how I do it:

I'm assuming you have the SELinux troubleshooting tools installed (I
think they are installed by default - do you get SELinux alerts?)

1) su to root 
# su - 

2) Create a working directory
# mkdir ~/selinux_testing
# cd ~/selinux_testing

3) Put SEL into permissive mode
# setenforce 0

4) Start F2B
# service fail2ban start

5) Collect the AVC denials
# grep fail2ban /var/log/audit/audit.log | audit2allow -M myf2b
This will collect any AVCs related to fail2ban and create a draft policy
called myf2b in your working directory. There will be several files, one
of which will be called myf2b.te.

Open this with an editor:
# gedit myf2b.te &
and have a look at it. It will look something like this:
=========8<===============================================
module myf2b 1.0;

require {
	type tmp_t;
	type tmpfs_t;
	type fail2ban_t;
	class dir { read write remove_name add_name };
	class file { write getattr read create unlink open execute execute_no_trans };
}

#============= fail2ban_t ==============
allow fail2ban_t tmp_t:dir { read write remove_name add_name };
allow fail2ban_t tmp_t:file { write getattr execute read create unlink open };
allow fail2ban_t tmpfs_t:dir write;
=========8<===============================================

I normally edit the module number at the top and create a numbering
schema that suits me (I use 15.0.1 for Fedora 15, first minor version of
the policy) and save it.

6) Build the policy:
# make -f /usr/share/selinux/devel/Makefile myf2b.pp
   Note: it *IS* .pp (not .te)

7) Install the module
# semodule - myf2b.pp
   (Again .pp)

8) Restart F2B and see if you get any more AVCs

9) If you do, repeat steps 5,6 & 7, but this time change
# grep fail2ban /var/log/audit/audit.log | audit2allow -M myf2b
    to something like
# grep fail2ban /var/log/audit/audit.log | audit2allow -M temp

Then look at the "temp.te" file in your editor and carefully add
anything that is new, to your myf2b.te file. Change the module number
(I'm on version 15.0.5 at the moment! 5 Iterations). Save it an continue
with step 6+

10) Rinse, repeat...
    (until you're happy that everything is working)

11) Put SEL back into enforcing mode
# setenforce 0


Hope that helps

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://lists.fedoraproject.org/pipermail/users/attachments/20110603/edea237e/attachment.bin