Comment 1 Sven Vermeulen (RETIRED) 2011-11-05 16:27:38 UTC

There is a mixture of denials here... sometimes fail2ban.log is marked as var_log_t, otherwise as fail2ban_log_t. 

Can you put the file contexts correctly and reproduce? Then we will need to look at small sets of denial messages (perhaps even one at a time) and find out

(1.) why the denial occurs
(2.) if this denial really needs to be allowed or not

Without that level of detail on each denial, we will not be able to get the fix upstream.

Here is a restart from fail2ban it has a SSH & SIP scan profile.

Starting: fail2ban restart...
type=AVC msg=audit(1320535084.716:10231): avc:  denied  { read } for  pid=2224 comm="fail2ban" name="src" dev=md3 ino=598033 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:src_t tclass=lnk_file
type=AVC msg=audit(1320535084.716:10231): avc:  denied  { read } for  pid=2224 comm="fail2ban" name="linux" dev=md7 ino=4882434 scontext=root:sysadm_r:run_init_t tcontext=root:object_r:default_t tclass=lnk_file

Here it start removing some iptables rules:
type=SYSCALL msg=audit(1320535084.716:10231): arch=40000003 syscall=195 success=yes exit=0 a0=1485d868 a1=5f45d50c a2=54cd3e54 a3=5f45d50c items=0 ppid=10621 pid=2224 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="fail2ban" exe="/bin/bash" subj=root:sysadm_r:run_init_t key=(null)
type=USER_AUTH msg=audit(1320535086.768:10232): user pid=2224 uid=0 auid=2000 ses=2 subj=root:sysadm_r:run_init_t msg='op=PAM:authentication acct="nico" exe="/sbin/rc" (hostname=?, addr=?, terminal=pts/0 res=success)'
type=UNKNOWN[1325] msg=audit(1320535087.987:10233): table=filter family=2 entries=289
type=SYSCALL msg=audit(1320535087.987:10233): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5d912c40 a2=51efcf08 a3=0 items=0 ppid=2237 pid=2238 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.002:10234): table=filter family=2 entries=288
type=SYSCALL msg=audit(1320535088.002:10234): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=592f3140 a2=4a2c7f08 a3=0 items=0 ppid=2237 pid=2239 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.016:10235): table=filter family=2 entries=287
type=SYSCALL msg=audit(1320535088.016:10235): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5e8e5fc0 a2=522c3f08 a3=0 items=0 ppid=2096 pid=2237 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.822:10236): table=filter family=2 entries=285
type=SYSCALL msg=audit(1320535088.822:10236): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=59aa2cd0 a2=4cb38f08 a3=0 items=0 ppid=2096 pid=2253 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.872:10237): table=filter family=2 entries=284
type=SYSCALL msg=audit(1320535088.872:10237): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5d94d360 a2=4e45cf08 a3=0 items=0 ppid=2254 pid=2255 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.897:10238): table=filter family=2 entries=283
type=SYSCALL msg=audit(1320535088.897:10238): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5fcbf0d0 a2=5291cf08 a3=0 items=0 ppid=2254 pid=2256 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535088.921:10239): table=filter family=2 entries=282
type=SYSCALL msg=audit(1320535088.921:10239): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5879ca30 a2=4dff1f08 a3=0 items=0 ppid=2096 pid=2254 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)

Restart:
type=AVC msg=audit(1320535091.830:10240): avc:  denied  { search } for  pid=2280 comm="fail2ban-server" name="nico" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=sysadm_u:object_r:user_home_dir_t tclass=dir
type=SYSCALL msg=audit(1320535091.830:10240): arch=40000003 syscall=195 success=no exit=-2 a0=11cec570 a1=5f424b68 a2=52d8fe54 a3=52ec5a44 items=0 ppid=2271 pid=2280 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=2 comm="fail2ban-server" exe="/usr/bin/python2.7" subj=system_u:system_r:fail2ban_t key=(null)

Check the asterisk logfile.., check for roque SIP registers. (start)
type=AVC msg=audit(1320535092.859:10241): avc:  denied  { read } for  pid=2291 comm="iptables" path="/var/log/asterisk/messages" dev=md5 ino=484915 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:asterisk_log_t tclass=file
type=SYSCALL msg=audit(1320535092.859:10241): arch=40000003 syscall=11 success=yes exit=0 a0=16b199b0 a1=16b19d98 a2=16b19bf0 a3=16b199b0 items=0 ppid=2289 pid=2291 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535092.895:10242): table=filter family=2 entries=280

Add new IPtables rules
type=SYSCALL msg=audit(1320535092.895:10242): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=59f000b0 a2=4b893f08 a3=0 items=0 ppid=2287 pid=2290 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535092.949:10243): table=filter family=2 entries=282
type=SYSCALL msg=audit(1320535092.949:10243): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=58535740 a2=48df9f08 a3=0 items=0 ppid=2287 pid=2293 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=UNKNOWN[1325] msg=audit(1320535092.972:10244): table=filter family=2 entries=283
type=SYSCALL msg=audit(1320535092.972:10244): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5bd51be0 a2=4fe44f08 a3=0 items=0 ppid=2282 pid=2287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null)
type=AVC msg=audit(1320535096.923:10245): avc:  denied  { name_connect } for  pid=31997 comm="asterisk" dest=2126 scontext=system_u:system_r:asterisk_t tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1320535096.923:10245): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=49adb150 a2=49b6ff10 a3=0 items=0 ppid=1 pid=31997 auid=2000 uid=107 gid=458 euid=107 suid=107 fsuid=107 egid=458 sgid=458 fsgid=458 tty=(none) ses=2 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t key=(null)

Another restart more or less looked the same.

File contexts:

# grep fail2ban /etc/selinux/strict/contexts/files/file_contexts
/var/run/fail2ban.*     system_u:object_r:fail2ban_var_run_t
/var/lib/fail2ban(/.*)? system_u:object_r:fail2ban_var_lib_t
/usr/bin/fail2ban       --      system_u:object_r:fail2ban_exec_t
/var/log/fail2ban\.log  --      system_u:object_r:fail2ban_log_t
/usr/bin/fail2ban-server        --      system_u:object_r:fail2ban_exec_t
/etc/rc\.d/init\.d/fail2ban     --      system_u:object_r:fail2ban_initrc_exec_t

semodule --list | grep fail2 give:

fail2ban        1.4.0
fail2bannb      1.0

Comment 6 Sven Vermeulen (RETIRED) 2011-11-07 19:35:06 UTC

Let's start from the first denial here...

type=AVC msg=audit(1320535084.716:10231): avc:  denied  { read } for  pid=2224
comm="fail2ban" name="src" dev=md3 ino=598033 scontext=root:sysadm_r:run_init_t
tcontext=system_u:object_r:src_t tclass=lnk_file

The application is running in the run_init_t context, which is wrong. I would assume it would run in fail2ban_t. Can you check the binary file's context and make sure it is marked as fail2ban_exec_t?

Also, what is the context of the init script?

This is the process command line:
/usr/bin/python2.7 /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -x

An my guess is that this answers your questions?

# ls -lZ /usr/bin/fail2ban-*     
-rwxr-xr-x. 1 root root system_u:object_r:bin_t           11494 Oct 25 18:31 /usr/bin/fail2ban-client
-rwxr-xr-x. 1 root root system_u:object_r:bin_t           10703 Oct 25 18:31 /usr/bin/fail2ban-regex
-rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t  4223 Oct 25 18:31 /usr/bin/fail2ban-server

# ls -lZ /etc/init.d/fail2ban 
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1552 Oct 25 18:31 /etc/init.d/fail2ban

BTW, fail2ban start by running the fail2ban-client, which activates the fail2ban server.

Comment 9 Sven Vermeulen (RETIRED) 2011-11-11 10:32:33 UTC

Okay, so I guess the denial we get is from the "fail2ban" init script.

What is it trying to do here? Can you try and look what file on /dev/md3 has inode 598033? It should be called "src". Then see in the fail2ban init script what it is trying to do.

Now, the run_init_t domain is still wrong. If the "fail2ban" script is responsible, it should run in initrc_t. How did you restart fail2ban? Is it, as root, through "/etc/init.d/fail2ban restart" ?

This is used: (From a sudo-ed root).
"/etc/init.d/fail2ban restart"

Then I enter the password for the user that did the sudo.
# id -Z
root:sysadm_r:sysadm_t

The start script (after optionaly creating a run directory & 
                  optionaly removing a stale socket) runs:

        /usr/bin/fail2ban-client -x start &> /dev/null

Forcing a server start because of the -x.
From the /etc/fail2ban/fail2ban.conf the logfile & server socket are set to:
resp: /var/log/fail2ban.log  &  /var/run/fail2ban/fail2ban.sock
For log file also STDOUT, STDERR or SYSLOG can be set.

After that it read various components from /etc/fail2ban/*

Like jail.conf for the items to check. Filters are specified in
/etc/fail2bain/filter.d/* and actions are specified in /etc/fail2ban/action.d/*

This is f.e. the ssh jail:

[ssh-iptables]
enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
           sendmail-whois[name=SSH, dest=mail@example.com, sender=fail2ban@example.com]
logpath  = /var/log/sshd/current
maxretry = 3

[lighttpd-fastcgi]
enabled = false
port    = http,https
filter  = lighttpd-fastcgi
# adapt the following two items as needed
logpath = /var/log/lighttpd/error.log
maxretry = 5

so various log files can be referenced as well.

the sshd logfile is influenced by the use of metalog...
(which keeps the the currentlog for a filter (here sshd) in a file name current, which gets renamed & refreshed @ midnight...)

Comment 12 Sven Vermeulen (RETIRED) 2011-12-10 14:55:02 UTC

Three aspects currently:

(1.) The "run_init_t" related AVC denials are issues and shouldn't occur. I can't reproduce them either, so I guess it is due to a wrong label. Do you still have this?

(2.) The "initrc_t" domain that wants to write a socket in fail2ban_var_run_t is confirmed and should be allowed. I'll grant fail2ban_stream_connect to initrc_t.

(3.) The "initrc_t" domain that wants to write in /usr directories is confirmed but should not be allowed. This is most likely python trying to write its compiled bytecode next to the .py files. However, /usr should never be written to during day-to-day operations. Going to dontaudit this as this doesn't pose a problem for the functioning of fail2ban.

What else do we need to counter?

emerge'd newest fail2ban (today 2011-12-10, fail2ban-0.8.4-r3
Message after upgrade:

type=AVC msg=audit(1323552276.002:11491): avc:  denied  { entrypoint } for  pid=14685 comm="sudo" path="/etc/init.d/fail2ban" dev=md3 ino=905497 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_exec_t tclass=file
type=SYSCALL msg=audit(1323552276.002:11491): arch=40000003 syscall=11 success=yes exit=0 a0=101527d0 a1=1014e418 a2=1014e538 a3=589ad91c items=0 ppid=14682 pid=14685 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=32 comm="fail2ban" exe="/bin/bash" subj=root:sysadm_r:sysadm_t key=(null)
type=AVC msg=audit(1323552282.777:11492): avc:  denied  { connectto } for  pid=15180 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket
type=SYSCALL msg=audit(1323552282.777:11492): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=58bcb980 a2=4936de64 a3=4902fea8 items=0 ppid=15170 pid=15180 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=32 comm="fail2ban-client" exe="/usr/bin/python2.7" subj=root:sysadm_r:sysadm_t key=(null)
type=AVC msg=audit(1323552286.314:11503): avc:  denied  { connectto } for  pid=15230 comm="fail2ban-server" path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket
type=SYSCALL msg=audit(1323552286.314:11503): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=5de15fc0 a2=512deef8 a3=4 items=0 ppid=1 pid=15230 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="fail2ban-server" exe="/usr/bin/python2.7" subj=root:sysadm_r:sysadm_t key=(null)
type=AVC msg=audit(1323552286.335:11504): avc:  denied  { search } for  pid=9132 comm="gam_server" name="15230" dev=proc ino=1437847 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=dir
type=AVC msg=audit(1323552286.335:11504): avc:  denied  { read } for  pid=9132 comm="gam_server" name="cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file
type=AVC msg=audit(1323552286.335:11504): avc:  denied  { open } for  pid=9132 comm="gam_server" name="cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file
type=SYSCALL msg=audit(1323552286.335:11504): arch=40000003 syscall=5 success=yes exit=8 a0=11918e70 a1=0 a2=1b6 a3=11917c18 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null)
type=AVC msg=audit(1323552286.336:11505): avc:  denied  { getattr } for  pid=9132 comm="gam_server" path="/proc/15230/cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file
type=SYSCALL msg=audit(1323552286.336:11505): arch=40000003 syscall=197 success=yes exit=0 a0=8 a1=5f0ee1d4 a2=5657ae54 a3=11917c18 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null)
type=AVC msg=audit(1323552286.562:11506): avc:  denied  { dac_read_search } for  pid=9132 comm="gam_server" capability=2  scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability
type=SYSCALL msg=audit(1323552286.562:11506): arch=40000003 syscall=292 success=yes exit=4 a0=3 a1=11918128 a2=1002fc6 a3=1192b788 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null)


restorecon doesn't report any anomalies for fail2ban,
(the gam_server ones might be new, as I replaced famd by gamin. 
famd held some files open &locked

Comment 14 Sven Vermeulen (RETIRED) 2011-12-11 11:42:59 UTC

type=AVC msg=audit(1323552276.002:11491): avc:  denied  { entrypoint } for 
pid=14685 comm="sudo" path="/etc/init.d/fail2ban" dev=md3 ino=905497
scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_exec_t
tclass=file

this is wrong and causes a lot of denials later. I suspect that you did "sudo /etc/init.d/fail2ban start". Can you try first getting a shell with sudo ("sudo bash") and then run "/etc/init.d/fail2ban start" ?

Support for directly executing from within sudo is still something to do. The entrypoint failed is because the sysadm_t is not allowed to transition to initrc_t directly (only through run_init). By first calling a shell (note that "sudo -i" doesn't work properly either) you get a clean start.

See also bug #394315

Comment 15 Sven Vermeulen (RETIRED) 2011-12-11 11:45:47 UTC

BTW, what does fail2ban have to do with gamin? That's not a daemon it needs to scan for in order to invoke possible firewall rules does it?

Comment 16 Sven Vermeulen (RETIRED) 2011-12-11 13:51:10 UTC

First part of patches are currently in hardened-dev overlay, but I keep this one as IN_PROGRESS as I don't think we're there yet.

First sudo, then /etc/init.d/fail2ban start
(asks for password like sudo)

type=AVC msg=audit(1323633501.049:14598): avc:  denied  { read } for pid=20718 comm="rc" name="profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
type=AVC msg=audit(1323633501.049:14598): avc:  denied  { open } for  pid=20718 comm="rc" name="profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
type=AVC msg=audit(1323633501.050:14599): avc:  denied  { getattr } for  pid=20718 comm="rc" path="/etc/profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file
type=AVC msg=audit(1323633504.246:14601): avc:  denied  { search } for  pid=20735 comm="fail2ban-client" name="<username>" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1323633504.665:14602): avc:  denied  { connectto } for  pid=20735 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=unix_stream_socket
type=AVC msg=audit(1323633507.664:14610): avc:  denied  { use } for  pid=5949 comm="loop0" path="/data/var_amavis.ext4" dev=md7 ino=49156 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:mount_t tclass=fd
type=AVC msg=audit(1323633507.664:14611): avc:  denied  { read } for  pid=5949 comm="loop0" path="/data/var_amavis.ext4" dev=md7 ino=49156 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file
type=AVC msg=audit(1323633509.742:14612): avc:  denied  { execute_no_trans } for  pid=20778 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1323633511.146:14613): avc:  denied  { dac_read_search } for  pid=9132 comm="gam_server" capability=2  scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability

The server part is built with gamin
/usr/share/fail2ban/server/filtergamin.py  is part for the server.
polling is used if gamin is not available.

(it's not mentioned as a dependency in the ebuild, it is optional though.)

BTW
gamin is used to get notified of changes in files that are tracked  for new log lines.

Comment 20 Sven Vermeulen (RETIRED) 2011-12-26 16:22:17 UTC

I'm still having difficulties trying to reproduce.

Why is "rc" running in the run_init_t domain? When sysadm_t calls an initrc_exec_t file, it transitions to run_init_t, which calls runscript (rc) causing Portage to transition the domain to initrc_t. And this should be done before the code in the init script is executed...

The following line can be ignored:

type=AVC msg=audit(1323633504.246:14601): avc:  denied  { search } for 
pid=20735 comm="fail2ban-client" name="<username>" dev=md3 ino=420163
scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t
tclass=dir

The following line is weird, because the socket shouldn't be a sysadm_t one. Mine here is fail2ban_var_run_t as is expected.

type=AVC msg=audit(1323633504.665:14602): avc:  denied  { connectto } for 
pid=20735 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock"
scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t
tclass=unix_stream_socket

The amavis-related denials are not related to fail2ban afaik.

From the next denial, I guess fail2ban-client is still marked as fail2ban_exec_t on your system. From looking at online sources and consulting with #selinux I don't think it needs to be marked that way, so back to bin_t with that ;-)

type=AVC msg=audit(1323633509.742:14612): avc:  denied  { execute_no_trans }
for  pid=20778 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3
ino=598793 scontext=system_u:system_r:fail2ban_t
tcontext=system_u:object_r:fail2ban_exec_t tclass=file

I don't exactly grasp the rc problem with initrc_exec_t, the effect I see is i need to type my password every time I try to restart an /etc/init.d/whatever script unless I ran such a script a short time ago, just like sudo works.
I am not aware of concious choise that should have been or has been made during the setup of hardened profile on this system. 
Anything that might be wrong on the /etc/init.d or rc stuff?
# ls -lZ /etc/init.d/fail2ban
-rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1552 Dec 10 22:23 /etc/init.d/fail2ban


wrt. the socket, fail2ban has been restarted a few times, it might be a false positive from the past.

The amavis related ones are mountpoints to containers on another disk
--> mountpoints issue denial warnings... probably somthing of rc checking some status? or it might be anything... It might be another new issue though.

fail2ban-client was marked fail2ban_exec_t.


These are current settings:
# ls -lZ /usr/bin/fail2ban-client /var/run/fail2ban/fail2ban.sock
-rwxr-xr-x. 1 root root system_u:object_r:bin_t              11494 Dec 10 22:23 /usr/bin/fail2ban-client
srwx------. 1 root root system_u:object_r:fail2ban_var_run_t     0 Dec 17 00:50 /var/run/fail2ban/fail2ban.sock

restart now shows:

# /etc/init.d/fail2ban restart
Authenticating xxxxx.
Password:
 * Caching service dependencies ...                                       [ ok ]
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Stopping fail2ban ...                                                  [ ok ]
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Starting fail2ban ...                                                

login with my name then sudo -s gives:
# id -Z
root:sysadm_r:sysadm_t

Comment 22 Sven Vermeulen (RETIRED) 2011-12-27 14:10:33 UTC

The contexts match what I have here, so hopefully are okay.

You indeed have to re-authenticate often, see http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#auth-run_init (Why do I always need to re-authenticate when operating init scripts).

It looks like your context is correct. I don't know if you are already running in enforcing mode or not, but if you aren't, can you do something equivalent to this?

# rc-service fail2ban stop
# > /var/log/avc.log
# setenforce 1
# rc-service fail2ban start
# setenforce 0

and then look at /var/log/avc.log (perhaps wgetpaste it by then so that future additions aren't going to clutter it) again? Also, if fail2ban starts well with that, wait with "setenforce 0" and have it running for a while. Note however that, as long as you don't "setenforce 0" SELinux will be running in enforcing mode, so other operations that you do on your system might feel this effect as well.

setenforce 1 caused a few messages... (> 75614).
Those 75K messages a mostly of the amavis kind (245) or radvd disallowed to read a rawip socket. (75350)
 [ type=AVC msg=audit(1325004244.152:174306): avc:  denied  { read } for  pid=20724 comm="radvd" lport=58 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket ]

None of fail2ban were seen. (btw. the /var/log/avc.log is still empty, those messages are from the audit.log{,.[1-3]} using the auditd daemon).

I'll try again with radvd (routing advertiser for IPv6) temporary stopped.
Giving about ~1.6MB of logging
 http://dpaste.com/678349/   (audit.log.gz compressed)

The amavis errors ARE related, because amavis sends a mail to indicate a state change (start -> stop & stop->start) and probably any access to the amavis partion (mounted as loopback because /var grew too small, selinux requires it to be on /var && [ mush less important /var is on a mirror disk & most of the amavis data (old spam messages ;-) doesn't need a mirror disk ]   hence a mount -o loop /data/var_amavis.ext4 /var/amavis ... )

btw, fail2ban still uses the opts variable in stead of the extra_commands and complains

Oh, and mail delivery does fail during setenforce 1, they are passed on to the amavis manager, as UNCHECKED mail. So I intend to keep it unenforcing for now.

Comment 25 Sven Vermeulen (RETIRED) 2011-12-27 19:14:04 UTC

Okay, amavis issues are related because they are triggered, but they aren't related to the fail2ban SELinux domain definition.

I noticed that you opened a new bug for the radvd issue - that's good. Regarding the amavis one, that wouldn't be bad either. I don't think the issue is with amavis but rather how the loop device is mounted and which label(s) it gets. To debug that, we'd need to do the entire loop-mounting thing step be step and watch the first denials there (and not the denials we get after it is mounted).

Okay if I close down the fail2ban one (this one) and look at the radvd separately? It looks like radvd requires its own domain (it is currently running in sysadm_t)...

Ok, I just checked dpaste and it looks horrible.
I grepped relevant parts from the original log file (non loop & AVC only): 

type=AVC msg=audit(1325005122.281:181730): avc:  denied  { read } for  pid=8881 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325005122.290:181731): avc:  denied  { read } for  pid=8882 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325005122.296:181732): avc:  denied  { read } for  pid=8883 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325005122.300:181733): avc:  denied  { read } for  pid=8884 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325005139.270:187162): avc:  denied  { search } for  pid=8911 comm="fail2ban-server" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1325005139.694:187163): avc:  denied  { search } for  pid=8915 comm="gam_server" name="root" dev=md3 ino=468641 scontext=system_u:system_r:fail2ban_t tcontext=root:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1325005140.029:187164): avc:  denied  { dac_read_search } for  pid=8915 comm="gam_server" capability=2  scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability
type=AVC msg=audit(1325005141.299:187683): avc:  denied  { read } for  pid=8947 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file


The passwd&group ones probably are the ones that have to do with the state change.
So if you think the others are normal then it can be closed.

Comment 27 Sven Vermeulen (RETIRED) 2011-12-28 08:54:21 UTC

Direct access to shadow_t is never allowed, so that is to be expected. I am wondering a bit why that "exe" process would want to read /etc/shadow. This should *never* be allowed.

There are some messages about fail2ban trying to search through /home. Is this needed for anything? If so, we need to know why (just allowing search through /home won't suffice).

The last remaining hurdles I see are these:
type=AVC msg=audit(1325005139.694:187163): avc:  denied  { search } for 
pid=8915 comm="gam_server" name="root" dev=md3 ino=468641
scontext=system_u:system_r:fail2ban_t tcontext=root:object_r:user_home_dir_t
tclass=dir
type=AVC msg=audit(1325005140.029:187164): avc:  denied  { dac_read_search }
for  pid=8915 comm="gam_server" capability=2 
scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t
tclass=capability

From the looks of it, fail2ban launches gam_server. We probably need to create a separate policy for gam_server and allow fail2ban to call it. But to do so, I'll need to setup a guest that runs fail2ban and gamin. You know any good pointers for this?

about gamin:

emerge gamin libgamin
emerge fail2ban # needs to be done as the autoconfigure tests for gamin

that should suffice.
gamin doesn't need any configuration.

The application sends it a list of files to monitor.
And indeed, the gamin server is started by the application needing it.

The home directory most probably is because that was my default directory.

maybe 

  emerge gamin libgamin 

can also be replaced with:

 emerge -1 gamin libgamin 
 emerge virtual/fam

Getting a little less crowded world file.

Comment 30 Sven Vermeulen (RETIRED) 2011-12-28 14:30:52 UTC

Okay, got it working - was indeed not that difficult. To support FAM I had to add some more privileges. However, unlike earlier, I don't think it is wise to create a separate domain for gam_server. Its functionality would require that domain to have read access (or at least getattr, whatever it uses) to every possible file, whereas fail2ban needs this on log files. And I only had to do one rule to give it FAM support as well:

read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)

This is because gam_server wants to read /proc/self/* files (which are labeled fail2ban_t here).

I did disable the sendmail-whois action not to clutter the logs, but will focus on that now to get that working as well.

Comment 31 Sven Vermeulen (RETIRED) 2011-12-28 17:17:31 UTC

Okay, I also have the errors like:

avc:  denied  { read write } for  pid=12345 comm="exim" path="socket[12345]"
dev=sockfs ino=12345 scontext=system_u:system_r:exim_t
tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket

On my system, it is system_mail_t (standard ssmtp install). However, it doesn't affect the functioning (I suspect this is the feedback from the sendmail application back to fail2ban) so it can be ignored.

I will include dontaudit statements for that. I guess that should be all there is to it for this one.

Comment 32 Sven Vermeulen (RETIRED) 2011-12-29 18:53:19 UTC

In bug #396221 you mention that restarting fail2ban still gives you errors (now something about not being able to authenticate you).

Before you restart, check that
(1.) you are in sysadm_t domain
(2.) fail2ban runs in fail2ban_t domain
(3.) you restart it using /etc/init.d/fail2ban restart or rc-service fail2ban restart

Then I was in a hurry, now after normal login, + sudo this is the output, the clamscan related messages are probably something different. Now first time after setenforce 1:  (The run_init hack you mentioned lately did help here,
he password is asked...
using /etc/init.d/fail2ban   or rc-service fail2ban makes no difference.

/etc/init.d/fail2ban restart
Authenticating xxxxx.
Password: 
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Stopping fail2ban ...                                                                                                                    [ ok ]
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Starting fail2ban ...                                                                                                                    [ ok ]

type=AVC msg=audit(1325199949.805:197685): avc:  denied  { read } for  pid=26562 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325199949.810:197686): avc:  denied  { read } for  pid=26563 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325199949.816:197687): avc:  denied  { read } for  pid=26564 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325199961.673:197692): avc:  denied  { search } for  pid=26589 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199961.729:197693): avc:  denied  { search } for  pid=26590 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199963.079:197697): avc:  denied  { search } for  pid=26614 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199963.240:197698): avc:  denied  { search } for  pid=26616 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199966.271:197699): avc:  denied  { search } for  pid=26621 comm="fail2ban-server" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1325199966.996:197700): avc:  denied  { dac_read_search } for  pid=8915 comm="gam_server" capability=2  scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability
type=AVC msg=audit(1325199968.048:197707): avc:  denied  { search } for  pid=26651 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199968.102:197708): avc:  denied  { search } for  pid=26652 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199968.663:197709): avc:  denied  { search } for  pid=26658 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir
type=AVC msg=audit(1325199968.716:197710): avc:  denied  { search } for  pid=26659 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir




And a second one: fails
/etc/init.d/fail2ban restart
cannot find your entry in the passwd file.
Authentication failed.

With audit records...:

type=AVC msg=audit(1325200201.944:197713): avc:  denied  { read } for  pid=26711 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325200366.091:197730): avc:  denied  { read } for  pid=26738 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325200366.097:197731): avc:  denied  { read } for  pid=26739 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325200366.102:197732): avc:  denied  { read } for  pid=26740 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file
type=AVC msg=audit(1325200370.507:197733): avc:  denied  { read } for  pid=26742 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file

The context start with:
id -Z
root:sysadm_r:sysadm_t

Comment 34 Sven Vermeulen (RETIRED) 2011-12-30 17:58:35 UTC

You have any idea what this "exe" process is?

Comment 35 Sven Vermeulen (RETIRED) 2011-12-30 20:07:56 UTC

selinux-fail2ban-2.20110726-r2 is in hardened-dev overlay

Please test this policy. If things still fail, please include both the output on-screen (how did you trigger it), fail2ban's log (/var/log/fail2ban.log) as well as the related denials (usually found through "grep fail2ban_t /var/log/avc.log").

(In reply to comment #34)
> You have any idea what this "exe" process is?

I don't have the faintest idea.

The only references i found are the /proc/[0-9]+/exe /proc/[0-9]+/task/[0-9]+/exe symlinks pointing to the executables.

I thought it was something from within the rc system.

# /etc/init.d/fail2ban restart
Authenticating root.
Password: 
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Stopping fail2ban ...                                                                                                                    [ ok ]
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Starting fail2ban ...
 * Failed to start fail2ban                                                                                                                 [ !! ]
 * ERROR: fail2ban failed to start
firewall ~ # tail /var/log/everything/current 
Dec 31 04:20:08 [pppd] Connect time 13320.4 minutes.
Dec 31 04:20:08 [pppd] Sent 1701277214 bytes, received 3166309510 bytes.
Dec 31 04:20:08 [radvd] attempting to reread config file
Dec 31 04:20:08 [radvd] Warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster
Dec 31 04:20:08 [radvd] Warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster
Dec 31 04:20:08 [radvd] Warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster
Dec 31 04:20:08 [radvd] Warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster
Dec 31 04:20:08 [pppd] Failed to disconnect PPPoE socket: 13 Permission denied
Dec 31 04:20:08 [pppd] Modem hangup
Dec 31 04:20:08 [radvd] resuming normal operation
firewall ~ # /etc/init.d/fail2ban start  
Authenticating root.
Password: 
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Starting fail2ban ...
 * Failed to start fail2ban                                                                                                                 [ !! ]
 * ERROR: fail2ban failed to start
firewall ~ # tail /var/log/fail
fail2ban.log              fail2ban.log-20111226.gz  fail2ban.log-20111228.gz  fail2ban.log-20111230.gz  faillog
fail2ban.log-20111225.gz  fail2ban.log-20111227.gz  fail2ban.log-20111229.gz  fail2ban.log-20111231.gz  
firewall ~ # tail /var/log/fail2ban.log
2011-12-31 03:10:13,128 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-12-31 04:19:16,351 fail2ban.jail   : INFO   Jail 'sip-iptables' stopped
2011-12-31 04:19:16,470 fail2ban.actions: WARNING [ssh-iptables] Unban 74.86.227.50
2011-12-31 04:19:16,583 fail2ban.actions: WARNING [ssh-iptables] Unban 178.211.55.46
2011-12-31 04:19:17,042 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2011-12-31 04:19:17,093 fail2ban.server : INFO   Exiting Fail2ban
firewall ~ # fail
fail2ban-regex  faillog         
firewall ~ # fail
fail2ban-regex  faillog         
firewall ~ # setenforce 0   
firewall ~ # /etc/init.d/fail2ban start
Authenticating root.
 * Use of the opts variable is deprecated and will be
 * removed in the future.
 * Please use extra_commands or extra_started_commands.
 * Starting fail2ban ...                                                                                                                    [ ok ]

# id -Z
root:sysadm_r:sysadm_t
# tail -n 50 /var/log/fail2ban.log
2011-12-31 03:10:13,128 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-12-31 04:19:16,351 fail2ban.jail   : INFO   Jail 'sip-iptables' stopped
2011-12-31 04:19:16,470 fail2ban.actions: WARNING [ssh-iptables] Unban 74.86.227.50
2011-12-31 04:19:16,583 fail2ban.actions: WARNING [ssh-iptables] Unban 178.211.55.46
2011-12-31 04:19:17,042 fail2ban.jail   : INFO   Jail 'ssh-iptables' stopped
2011-12-31 04:19:17,093 fail2ban.server : INFO   Exiting Fail2ban
2011-12-31 04:22:01,166 fail2ban.server : INFO   Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4
2011-12-31 04:22:01,170 fail2ban.jail   : INFO   Creating new jail 'ssh-iptables'
2011-12-31 04:22:01,192 fail2ban.jail   : INFO   Jail 'ssh-iptables' uses Gamin
2011-12-31 04:22:01,499 fail2ban.filter : INFO   Added logfile = /var/log/sshd/current
2011-12-31 04:22:01,501 fail2ban.filter : INFO   Set maxRetry = 3
2011-12-31 04:22:01,510 fail2ban.filter : INFO   Set findtime = 3600
2011-12-31 04:22:01,515 fail2ban.actions: INFO   Set banTime = 172800
2011-12-31 04:22:01,765 fail2ban.jail   : INFO   Creating new jail 'sip-iptables'
2011-12-31 04:22:01,766 fail2ban.jail   : INFO   Jail 'sip-iptables' uses Gamin
2011-12-31 04:22:01,775 fail2ban.filter : INFO   Added logfile = /var/log/asterisk/full
2011-12-31 04:22:01,780 fail2ban.filter : INFO   Set maxRetry = 10
2011-12-31 04:22:01,789 fail2ban.filter : INFO   Set findtime = 3600
2011-12-31 04:22:01,793 fail2ban.actions: INFO   Set banTime = 172800
2011-12-31 04:22:01,901 fail2ban.jail   : INFO   Jail 'ssh-iptables' started
2011-12-31 04:22:01,918 fail2ban.jail   : INFO   Jail 'sip-iptables' started
2011-12-31 04:22:02,088 fail2ban.actions.action: ERROR  iptables -N fail2ban-SIP
iptables -A fail2ban-SIP -j RETURN
iptables -I INPUT -p udp --dport 5060 -j fail2ban-SIP returned 200


cat audit.log : grep fail2ban | grep avc:
type=AVC msg=audit(1325301554.834:202337): avc:  denied  { search } for  pid=8228 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1325301557.898:202351): avc:  denied  { search } for  pid=8272 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1325301560.106:202354): avc:  denied  { execute_no_trans } for  pid=8277 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1325301560.112:202355): avc:  denied  { execute_no_trans } for  pid=8277 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1325301648.805:202476): avc:  denied  { search } for  pid=8730 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir
type=AVC msg=audit(1325301649.702:202477): avc:  denied  { execute_no_trans } for  pid=8731 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1325301649.706:202478): avc:  denied  { execute_no_trans } for  pid=8731 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1325301719.759:202483): avc:  denied  { search } for  pid=8749 comm="fail2ban-client" name="nico" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir
type=AVC msg=audit(1325301720.655:202484): avc:  denied  { execute_no_trans } for  pid=8750 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
type=AVC msg=audit(1325301721.772:202485): avc:  denied  { dac_read_search } for  pid=8754 comm="gam_server" capability=2  scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability

Comment 38 Sven Vermeulen (RETIRED) 2011-12-31 10:38:03 UTC

It looks like your client is still marked as fail2ban_exec_t instead of bin_t ? The denials show that fail2ban_t tries to execute something labeled fail2ban_exec_t.

Yep:



firewall ~ # ls -lZ /usr/bin/fail2ban-*
-rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 11494 Dec 10 22:23 /usr/bin/fail2ban-client
-rwxr-xr-x. 1 root root system_u:object_r:bin_t           10703 Dec 10 22:23 /usr/bin/fail2ban-regex
-rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t  4223 Dec 10 22:23 /usr/bin/fail2ban-server

firewall ~ # rlpkg -r fail2ban
Relabeling: net-analyzer/fail2ban-0.8.4-r3

firewall ~ # ls -lZ /usr/bin/fail2ban-*
-rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 11494 Dec 10 22:23 /usr/bin/fail2ban-client
-rwxr-xr-x. 1 root root system_u:object_r:bin_t           10703 Dec 10 22:23 /usr/bin/fail2ban-regex
-rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t  4223 Dec 10 22:23 /usr/bin/fail2ban-server

# eix fail2ban
[I] net-analyzer/fail2ban
     Available versions:  0.8.4-r3 ~0.8.4-r4 ~0.8.6 {selinux}
     Installed versions:  0.8.4-r3(22:23:51 12/10/11)(selinux)
     Homepage:            http://fail2ban.sourceforge.net/
     Description:         Bans IP that make too many password failures

* net-analyzer/nagios-check_fail2ban
     Available versions:  ~3
     Homepage:            https://github.com/hollow/check_fail2ban
     Description:         A nagios plugin for checking the fail2ban daemon

[I] sec-policy/selinux-fail2ban
     Available versions:  2.20110726 (~)2.20110726-r1 (~)2.20110726-r2[1]
     Installed versions:  2.20110726-r2[1](02:40:47 12/31/11)
     Homepage:            http://www.gentoo.org/proj/en/hardened/selinux/
     Description:         SELinux policy for fail2ban

[1] "hardened-dev" /var/lib/layman/hardened-development

So where did it go wrong?

This maybe:
#  cat  /etc/selinux/strict/contexts/files/file_contexts.local                         
# This file is auto-generated by libsemanage
# Do not edit directly.

/usr/bin/fail2ban-client    system_u:object_r:fail2ban_exec_t

Yep... Removing that * rlpkg again solved it.. now as the file is auto generated
will it come back?

Is it possible to dump/decompile a .pp file? (I understand the comments are gone ;-)

Or are the sources kept somewhere?

Comment 41 Sven Vermeulen (RETIRED) 2011-12-31 20:15:18 UTC

It will come back unless you deregister it:

semanage fcontext -d -t fail2ban_exec_t "/usr/bin/fail2ban-client"

There are some tools (but not available on Gentoo) that decompose a .pp module, but I heard little success on this. But if you want to see the sources, try "ebuild /usr/portage/sec-policy/selinux-fail2ban/selinux-fail2ban-2.20110726-r1.ebuild prepare", then go to /var/tmp/portage/sec-policy/selinux-fail2ban/work/strict and you'll find the fail2ban sources.

Substitute the path with the correct one of course (for instance, the overlays by layman are somewhere in /var/lib/layman).

Comment 42 Sven Vermeulen (RETIRED) 2012-01-14 20:03:00 UTC

Pushed to main tree, ~arch

Comment 43 Sven Vermeulen (RETIRED) 2012-02-26 10:07:17 UTC

Marked stable