Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442356 - =sec-policy/selinux-*-9999 spurious fail2ban AVCs
Summary: =sec-policy/selinux-*-9999 spurious fail2ban AVCs
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r8
Keywords:
Depends on:
Blocks:
 
Reported: 2012-11-08 15:36 UTC by Alex Brandt (RETIRED)
Modified: 2012-12-13 10:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Brandt (RETIRED) gentoo-dev 2012-11-08 15:36:10 UTC 
The following AVCs are generated when fail2ban blocks an IP and sends out the whois e-mail:

type=AVC msg=audit(1352348532.580:1313): avc:  denied  { read write } for  pid=28042 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket
type=AVC msg=audit(1352348532.590:1314): avc:  denied  { use } for  pid=28047 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd
type=AVC msg=audit(1352350084.276:1320): avc:  denied  { read write } for  pid=28129 comm="sendmail" path="socket:[1480]" dev="sockfs" ino=1480 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket
type=AVC msg=audit(1352350084.286:1321): avc:  denied  { use } for  pid=28134 comm="postdrop" path="/dev/null" dev="devtmpfs" ino=3075 scontext=system_u:system_r:postfix_postdrop_t tcontext=system_u:system_r:fail2ban_t tclass=fd

The e-mail and everything appears to be functioning correctly and I'm inclined to believe that these should be a dontaudit set of rules.  Perhaps it comes from a missing transition in fail2ban when it calls sendmail?  That's just a guess.  Let me know how else I can help.

Reproducible: Always
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-10 17:45:26 UTC 
I think they are indeed inherited (leaked) descriptors. Sended upstream, let's see what they think of it.
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-23 21:41:22 UTC 
Got accepted, is in repo and in r8

r8 in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-03 09:36:37 UTC 
r8 is now in main tree, ~arch
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:12:04 UTC 
r8 is now stable