The following AVCs are generated when fail2ban blocks an IP and sends out the whois e-mail: type=AVC msg=audit(1352348532.580:1313): avc: denied { read write } for pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=AVC msg=audit(1352348532.590:1314): avc: denied { use } for pid=28047 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd type=AVC msg=audit(1352350084.276:1320): avc: denied { read write } for pid=28129 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=AVC msg=audit(1352350084.286:1321): avc: denied { use } for pid=28134 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd The e-mail and everything appears to be functioning correctly and I'm inclined to believe that these should be a dontaudit set of rules. Perhaps it comes from a missing transition in fail2ban when it calls sendmail? That's just a guess. Let me know how else I can help. Reproducible: Always
I think they are indeed inherited (leaked) descriptors. Sended upstream, let's see what they think of it.
Got accepted, is in repo and in r8 r8 in hardened-dev overlay
r8 is now in main tree, ~arch
r8 is now stable