fail2ban cause quite some messages... Some because of operation, some because of logrotate... & restart. The messaged have been "sanitized" pids made equal, ino= made equal, same for sockets, then sort -u. Reproducible: Always Actual Results: avc: denied { append } for pid=12345 comm="exim" path="/var/log/fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:exim_t tcontext=system_u:object_r:fail2ban_log_t tclass=file avc: denied { append } for pid=12345 comm="exim" path="/var/log/fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:exim_t tcontext=system_u:object_r:var_log_t tclass=file avc: denied { append } for pid=12345 comm="fail2ban-server" name="fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:var_log_t tclass=file avc: denied { append } for pid=12345 comm="iptables" path="/var/log/fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:var_log_t tclass=file avc: denied { append } for pid=12345 comm="modprobe" path="/var/log/fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:insmod_t tcontext=system_u:object_r:var_log_t tclass=file avc: denied { append } for pid=12345 comm="sendmail" path="/var/log/fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:system_mail_t tcontext=system_u:object_r:var_log_t tclass=file avc: denied { connectto } for pid=12345 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:initrc_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket avc: denied { connectto } for pid=12345 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:logrotate_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket avc: denied { connectto } for pid=12345 comm="fail2ban-server" path="/var/run/nscd/socket" scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket avc: denied { connectto } for pid=12345 comm="whois" path="/var/run/nscd/socket" scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket avc: denied { dac_override } for pid=12345 comm="fail2ban-server" capability=1 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability avc: denied { getattr } for pid=12345 comm="lsof" path="socket[12345]" dev=sockfs ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket avc: denied { open } for pid=12345 comm="cat" name="fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:fail2ban_log_t tclass=file avc: denied { read write } for pid=12345 comm="exim" path="socket[12345]" dev=sockfs ino=12345 scontext=system_u:system_r:exim_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket avc: denied { read write } for pid=12345 comm="sendmail" path="socket[12345]" dev=sockfs ino=12345 scontext=system_u:system_r:system_mail_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket avc: denied { read } for pid=12345 comm="cat" name="fail2ban.log" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:fail2ban_log_t tclass=file avc: denied { remove_name } for pid=12345 comm="logwatch.pl" name="fail2ban" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:logwatch_cache_t tclass=dir avc: denied { remove_name } for pid=12345 comm="logwatch.pl" name="fail2ban" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:var_t tclass=dir avc: denied { unlink } for pid=12345 comm="logwatch.pl" name="fail2ban" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:logwatch_cache_t tclass=file avc: denied { unlink } for pid=12345 comm="logwatch.pl" name="fail2ban" dev=md5 ino=12345 scontext=system_u:system_r:system_cronjob_t tcontext=system_u:object_r:var_t tclass=file avc: denied { write } for pid=12345 comm="fail2ban-client" name="fail2ban.sock" dev=md5 ino=12345 scontext=system_u:system_r:initrc_t tcontext=system_u:object_r:fail2ban_var_run_t tclass=sock_file avc: denied { write } for pid=12345 comm="fail2ban-client" name="fail2ban.sock" dev=md5 ino=12345 scontext=system_u:system_r:logrotate_t tcontext=system_u:object_r:var_run_t tclass=sock_file A modules from the above messages: module fail2bannb 1.0; require { type var_run_t; type fail2ban_var_run_t; type system_mail_t; type system_cronjob_t; type fail2ban_t; type logwatch_cache_t; type iptables_t; type initrc_t; type var_log_t; type fail2ban_log_t; type insmod_t; type var_t; type exim_t; type logrotate_t; class capability dac_override; class unix_stream_socket { connectto write getattr read }; class dir remove_name; class file { read unlink open append }; class sock_file write; } #============= exim_t ============== allow exim_t fail2ban_log_t:file append; allow exim_t fail2ban_t:unix_stream_socket { read write }; allow exim_t var_log_t:file append; #============= fail2ban_t ============== allow fail2ban_t initrc_t:unix_stream_socket connectto; allow fail2ban_t self:capability dac_override; allow fail2ban_t var_log_t:file append; #============= initrc_t ============== allow initrc_t fail2ban_t:unix_stream_socket connectto; allow initrc_t fail2ban_var_run_t:sock_file write; #============= insmod_t ============== allow insmod_t var_log_t:file append; #============= iptables_t ============== allow iptables_t var_log_t:file append; #============= logrotate_t ============== allow logrotate_t initrc_t:unix_stream_socket connectto; allow logrotate_t var_run_t:sock_file write; #============= system_cronjob_t ============== allow system_cronjob_t fail2ban_log_t:file { read open }; allow system_cronjob_t fail2ban_t:unix_stream_socket getattr; allow system_cronjob_t logwatch_cache_t:dir remove_name; allow system_cronjob_t logwatch_cache_t:file unlink; allow system_cronjob_t var_t:dir remove_name; allow system_cronjob_t var_t:file unlink; #============= system_mail_t ============== allow system_mail_t fail2ban_t:unix_stream_socket { read write }; allow system_mail_t var_log_t:file append;
There is a mixture of denials here... sometimes fail2ban.log is marked as var_log_t, otherwise as fail2ban_log_t. Can you put the file contexts correctly and reproduce? Then we will need to look at small sets of denial messages (perhaps even one at a time) and find out (1.) why the denial occurs (2.) if this denial really needs to be allowed or not Without that level of detail on each denial, we will not be able to get the fix upstream.
Here is a restart from fail2ban it has a SSH & SIP scan profile. Starting: fail2ban restart... type=AVC msg=audit(1320535084.716:10231): avc: denied { read } for pid=2224 comm="fail2ban" name="src" dev=md3 ino=598033 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:src_t tclass=lnk_file type=AVC msg=audit(1320535084.716:10231): avc: denied { read } for pid=2224 comm="fail2ban" name="linux" dev=md7 ino=4882434 scontext=root:sysadm_r:run_init_t tcontext=root:object_r:default_t tclass=lnk_file Here it start removing some iptables rules: type=SYSCALL msg=audit(1320535084.716:10231): arch=40000003 syscall=195 success=yes exit=0 a0=1485d868 a1=5f45d50c a2=54cd3e54 a3=5f45d50c items=0 ppid=10621 pid=2224 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="fail2ban" exe="/bin/bash" subj=root:sysadm_r:run_init_t key=(null) type=USER_AUTH msg=audit(1320535086.768:10232): user pid=2224 uid=0 auid=2000 ses=2 subj=root:sysadm_r:run_init_t msg='op=PAM:authentication acct="nico" exe="/sbin/rc" (hostname=?, addr=?, terminal=pts/0 res=success)' type=UNKNOWN[1325] msg=audit(1320535087.987:10233): table=filter family=2 entries=289 type=SYSCALL msg=audit(1320535087.987:10233): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5d912c40 a2=51efcf08 a3=0 items=0 ppid=2237 pid=2238 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.002:10234): table=filter family=2 entries=288 type=SYSCALL msg=audit(1320535088.002:10234): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=592f3140 a2=4a2c7f08 a3=0 items=0 ppid=2237 pid=2239 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.016:10235): table=filter family=2 entries=287 type=SYSCALL msg=audit(1320535088.016:10235): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5e8e5fc0 a2=522c3f08 a3=0 items=0 ppid=2096 pid=2237 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.822:10236): table=filter family=2 entries=285 type=SYSCALL msg=audit(1320535088.822:10236): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=59aa2cd0 a2=4cb38f08 a3=0 items=0 ppid=2096 pid=2253 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.872:10237): table=filter family=2 entries=284 type=SYSCALL msg=audit(1320535088.872:10237): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5d94d360 a2=4e45cf08 a3=0 items=0 ppid=2254 pid=2255 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.897:10238): table=filter family=2 entries=283 type=SYSCALL msg=audit(1320535088.897:10238): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5fcbf0d0 a2=5291cf08 a3=0 items=0 ppid=2254 pid=2256 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535088.921:10239): table=filter family=2 entries=282 type=SYSCALL msg=audit(1320535088.921:10239): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5879ca30 a2=4dff1f08 a3=0 items=0 ppid=2096 pid=2254 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) Restart: type=AVC msg=audit(1320535091.830:10240): avc: denied { search } for pid=2280 comm="fail2ban-server" name="nico" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=sysadm_u:object_r:user_home_dir_t tclass=dir type=SYSCALL msg=audit(1320535091.830:10240): arch=40000003 syscall=195 success=no exit=-2 a0=11cec570 a1=5f424b68 a2=52d8fe54 a3=52ec5a44 items=0 ppid=2271 pid=2280 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=2 comm="fail2ban-server" exe="/usr/bin/python2.7" subj=system_u:system_r:fail2ban_t key=(null) Check the asterisk logfile.., check for roque SIP registers. (start) type=AVC msg=audit(1320535092.859:10241): avc: denied { read } for pid=2291 comm="iptables" path="/var/log/asterisk/messages" dev=md5 ino=484915 scontext=system_u:system_r:iptables_t tcontext=system_u:object_r:asterisk_log_t tclass=file type=SYSCALL msg=audit(1320535092.859:10241): arch=40000003 syscall=11 success=yes exit=0 a0=16b199b0 a1=16b19d98 a2=16b19bf0 a3=16b199b0 items=0 ppid=2289 pid=2291 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535092.895:10242): table=filter family=2 entries=280 Add new IPtables rules type=SYSCALL msg=audit(1320535092.895:10242): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=59f000b0 a2=4b893f08 a3=0 items=0 ppid=2287 pid=2290 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535092.949:10243): table=filter family=2 entries=282 type=SYSCALL msg=audit(1320535092.949:10243): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=58535740 a2=48df9f08 a3=0 items=0 ppid=2287 pid=2293 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=UNKNOWN[1325] msg=audit(1320535092.972:10244): table=filter family=2 entries=283 type=SYSCALL msg=audit(1320535092.972:10244): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=5bd51be0 a2=4fe44f08 a3=0 items=0 ppid=2282 pid=2287 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="iptables" exe="/sbin/xtables-multi" subj=system_u:system_r:iptables_t key=(null) type=AVC msg=audit(1320535096.923:10245): avc: denied { name_connect } for pid=31997 comm="asterisk" dest=2126 scontext=system_u:system_r:asterisk_t tcontext=system_u:object_r:port_t tclass=tcp_socket type=SYSCALL msg=audit(1320535096.923:10245): arch=40000003 syscall=102 success=no exit=-115 a0=3 a1=49adb150 a2=49b6ff10 a3=0 items=0 ppid=1 pid=31997 auid=2000 uid=107 gid=458 euid=107 suid=107 fsuid=107 egid=458 sgid=458 fsgid=458 tty=(none) ses=2 comm="asterisk" exe="/usr/sbin/asterisk" subj=system_u:system_r:asterisk_t key=(null)
Another restart more or less looked the same.
File contexts: # grep fail2ban /etc/selinux/strict/contexts/files/file_contexts /var/run/fail2ban.* system_u:object_r:fail2ban_var_run_t /var/lib/fail2ban(/.*)? system_u:object_r:fail2ban_var_lib_t /usr/bin/fail2ban -- system_u:object_r:fail2ban_exec_t /var/log/fail2ban\.log -- system_u:object_r:fail2ban_log_t /usr/bin/fail2ban-server -- system_u:object_r:fail2ban_exec_t /etc/rc\.d/init\.d/fail2ban -- system_u:object_r:fail2ban_initrc_exec_t
semodule --list | grep fail2 give: fail2ban 1.4.0 fail2bannb 1.0
Let's start from the first denial here... type=AVC msg=audit(1320535084.716:10231): avc: denied { read } for pid=2224 comm="fail2ban" name="src" dev=md3 ino=598033 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:src_t tclass=lnk_file The application is running in the run_init_t context, which is wrong. I would assume it would run in fail2ban_t. Can you check the binary file's context and make sure it is marked as fail2ban_exec_t? Also, what is the context of the init script?
This is the process command line: /usr/bin/python2.7 /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -x An my guess is that this answers your questions? # ls -lZ /usr/bin/fail2ban-* -rwxr-xr-x. 1 root root system_u:object_r:bin_t 11494 Oct 25 18:31 /usr/bin/fail2ban-client -rwxr-xr-x. 1 root root system_u:object_r:bin_t 10703 Oct 25 18:31 /usr/bin/fail2ban-regex -rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 4223 Oct 25 18:31 /usr/bin/fail2ban-server # ls -lZ /etc/init.d/fail2ban -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1552 Oct 25 18:31 /etc/init.d/fail2ban
BTW, fail2ban start by running the fail2ban-client, which activates the fail2ban server.
Okay, so I guess the denial we get is from the "fail2ban" init script. What is it trying to do here? Can you try and look what file on /dev/md3 has inode 598033? It should be called "src". Then see in the fail2ban init script what it is trying to do. Now, the run_init_t domain is still wrong. If the "fail2ban" script is responsible, it should run in initrc_t. How did you restart fail2ban? Is it, as root, through "/etc/init.d/fail2ban restart" ?
This is used: (From a sudo-ed root). "/etc/init.d/fail2ban restart" Then I enter the password for the user that did the sudo. # id -Z root:sysadm_r:sysadm_t The start script (after optionaly creating a run directory & optionaly removing a stale socket) runs: /usr/bin/fail2ban-client -x start &> /dev/null Forcing a server start because of the -x. From the /etc/fail2ban/fail2ban.conf the logfile & server socket are set to: resp: /var/log/fail2ban.log & /var/run/fail2ban/fail2ban.sock For log file also STDOUT, STDERR or SYSLOG can be set. After that it read various components from /etc/fail2ban/* Like jail.conf for the items to check. Filters are specified in /etc/fail2bain/filter.d/* and actions are specified in /etc/fail2ban/action.d/* This is f.e. the ssh jail: [ssh-iptables] enabled = true filter = sshd action = iptables[name=SSH, port=ssh, protocol=tcp] sendmail-whois[name=SSH, dest=mail@example.com, sender=fail2ban@example.com] logpath = /var/log/sshd/current maxretry = 3 [lighttpd-fastcgi] enabled = false port = http,https filter = lighttpd-fastcgi # adapt the following two items as needed logpath = /var/log/lighttpd/error.log maxretry = 5 so various log files can be referenced as well.
the sshd logfile is influenced by the use of metalog... (which keeps the the currentlog for a filter (here sshd) in a file name current, which gets renamed & refreshed @ midnight...)
Three aspects currently: (1.) The "run_init_t" related AVC denials are issues and shouldn't occur. I can't reproduce them either, so I guess it is due to a wrong label. Do you still have this? (2.) The "initrc_t" domain that wants to write a socket in fail2ban_var_run_t is confirmed and should be allowed. I'll grant fail2ban_stream_connect to initrc_t. (3.) The "initrc_t" domain that wants to write in /usr directories is confirmed but should not be allowed. This is most likely python trying to write its compiled bytecode next to the .py files. However, /usr should never be written to during day-to-day operations. Going to dontaudit this as this doesn't pose a problem for the functioning of fail2ban. What else do we need to counter?
emerge'd newest fail2ban (today 2011-12-10, fail2ban-0.8.4-r3 Message after upgrade: type=AVC msg=audit(1323552276.002:11491): avc: denied { entrypoint } for pid=14685 comm="sudo" path="/etc/init.d/fail2ban" dev=md3 ino=905497 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_exec_t tclass=file type=SYSCALL msg=audit(1323552276.002:11491): arch=40000003 syscall=11 success=yes exit=0 a0=101527d0 a1=1014e418 a2=1014e538 a3=589ad91c items=0 ppid=14682 pid=14685 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=32 comm="fail2ban" exe="/bin/bash" subj=root:sysadm_r:sysadm_t key=(null) type=AVC msg=audit(1323552282.777:11492): avc: denied { connectto } for pid=15180 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=SYSCALL msg=audit(1323552282.777:11492): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=58bcb980 a2=4936de64 a3=4902fea8 items=0 ppid=15170 pid=15180 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=32 comm="fail2ban-client" exe="/usr/bin/python2.7" subj=root:sysadm_r:sysadm_t key=(null) type=AVC msg=audit(1323552286.314:11503): avc: denied { connectto } for pid=15230 comm="fail2ban-server" path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket type=SYSCALL msg=audit(1323552286.314:11503): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=5de15fc0 a2=512deef8 a3=4 items=0 ppid=1 pid=15230 auid=2000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="fail2ban-server" exe="/usr/bin/python2.7" subj=root:sysadm_r:sysadm_t key=(null) type=AVC msg=audit(1323552286.335:11504): avc: denied { search } for pid=9132 comm="gam_server" name="15230" dev=proc ino=1437847 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=dir type=AVC msg=audit(1323552286.335:11504): avc: denied { read } for pid=9132 comm="gam_server" name="cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file type=AVC msg=audit(1323552286.335:11504): avc: denied { open } for pid=9132 comm="gam_server" name="cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file type=SYSCALL msg=audit(1323552286.335:11504): arch=40000003 syscall=5 success=yes exit=8 a0=11918e70 a1=0 a2=1b6 a3=11917c18 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null) type=AVC msg=audit(1323552286.336:11505): avc: denied { getattr } for pid=9132 comm="gam_server" path="/proc/15230/cmdline" dev=proc ino=1437848 scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=file type=SYSCALL msg=audit(1323552286.336:11505): arch=40000003 syscall=197 success=yes exit=0 a0=8 a1=5f0ee1d4 a2=5657ae54 a3=11917c18 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null) type=AVC msg=audit(1323552286.562:11506): avc: denied { dac_read_search } for pid=9132 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability type=SYSCALL msg=audit(1323552286.562:11506): arch=40000003 syscall=292 success=yes exit=4 a0=3 a1=11918128 a2=1002fc6 a3=1192b788 items=0 ppid=1 pid=9132 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t key=(null) restorecon doesn't report any anomalies for fail2ban, (the gam_server ones might be new, as I replaced famd by gamin. famd held some files open &locked
type=AVC msg=audit(1323552276.002:11491): avc: denied { entrypoint } for pid=14685 comm="sudo" path="/etc/init.d/fail2ban" dev=md3 ino=905497 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:initrc_exec_t tclass=file this is wrong and causes a lot of denials later. I suspect that you did "sudo /etc/init.d/fail2ban start". Can you try first getting a shell with sudo ("sudo bash") and then run "/etc/init.d/fail2ban start" ? Support for directly executing from within sudo is still something to do. The entrypoint failed is because the sysadm_t is not allowed to transition to initrc_t directly (only through run_init). By first calling a shell (note that "sudo -i" doesn't work properly either) you get a clean start. See also bug #394315
BTW, what does fail2ban have to do with gamin? That's not a daemon it needs to scan for in order to invoke possible firewall rules does it?
First part of patches are currently in hardened-dev overlay, but I keep this one as IN_PROGRESS as I don't think we're there yet.
First sudo, then /etc/init.d/fail2ban start (asks for password like sudo) type=AVC msg=audit(1323633501.049:14598): avc: denied { read } for pid=20718 comm="rc" name="profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1323633501.049:14598): avc: denied { open } for pid=20718 comm="rc" name="profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1323633501.050:14599): avc: denied { getattr } for pid=20718 comm="rc" path="/etc/profile.env" dev=md3 ino=905263 scontext=root:sysadm_r:run_init_t tcontext=system_u:object_r:etc_runtime_t tclass=file type=AVC msg=audit(1323633504.246:14601): avc: denied { search } for pid=20735 comm="fail2ban-client" name="<username>" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=AVC msg=audit(1323633504.665:14602): avc: denied { connectto } for pid=20735 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=unix_stream_socket type=AVC msg=audit(1323633507.664:14610): avc: denied { use } for pid=5949 comm="loop0" path="/data/var_amavis.ext4" dev=md7 ino=49156 scontext=system_u:system_r:kernel_t tcontext=system_u:system_r:mount_t tclass=fd type=AVC msg=audit(1323633507.664:14611): avc: denied { read } for pid=5949 comm="loop0" path="/data/var_amavis.ext4" dev=md7 ino=49156 scontext=system_u:system_r:kernel_t tcontext=root:object_r:default_t tclass=file type=AVC msg=audit(1323633509.742:14612): avc: denied { execute_no_trans } for pid=20778 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1323633511.146:14613): avc: denied { dac_read_search } for pid=9132 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability
The server part is built with gamin /usr/share/fail2ban/server/filtergamin.py is part for the server. polling is used if gamin is not available. (it's not mentioned as a dependency in the ebuild, it is optional though.)
BTW gamin is used to get notified of changes in files that are tracked for new log lines.
I'm still having difficulties trying to reproduce. Why is "rc" running in the run_init_t domain? When sysadm_t calls an initrc_exec_t file, it transitions to run_init_t, which calls runscript (rc) causing Portage to transition the domain to initrc_t. And this should be done before the code in the init script is executed... The following line can be ignored: type=AVC msg=audit(1323633504.246:14601): avc: denied { search } for pid=20735 comm="fail2ban-client" name="<username>" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir The following line is weird, because the socket shouldn't be a sysadm_t one. Mine here is fail2ban_var_run_t as is expected. type=AVC msg=audit(1323633504.665:14602): avc: denied { connectto } for pid=20735 comm="fail2ban-client" path="/var/run/fail2ban/fail2ban.sock" scontext=system_u:system_r:fail2ban_t tcontext=root:sysadm_r:sysadm_t tclass=unix_stream_socket The amavis-related denials are not related to fail2ban afaik. From the next denial, I guess fail2ban-client is still marked as fail2ban_exec_t on your system. From looking at online sources and consulting with #selinux I don't think it needs to be marked that way, so back to bin_t with that ;-) type=AVC msg=audit(1323633509.742:14612): avc: denied { execute_no_trans } for pid=20778 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file
I don't exactly grasp the rc problem with initrc_exec_t, the effect I see is i need to type my password every time I try to restart an /etc/init.d/whatever script unless I ran such a script a short time ago, just like sudo works. I am not aware of concious choise that should have been or has been made during the setup of hardened profile on this system. Anything that might be wrong on the /etc/init.d or rc stuff? # ls -lZ /etc/init.d/fail2ban -rwxr-xr-x. 1 root root system_u:object_r:initrc_exec_t 1552 Dec 10 22:23 /etc/init.d/fail2ban wrt. the socket, fail2ban has been restarted a few times, it might be a false positive from the past. The amavis related ones are mountpoints to containers on another disk --> mountpoints issue denial warnings... probably somthing of rc checking some status? or it might be anything... It might be another new issue though. fail2ban-client was marked fail2ban_exec_t. These are current settings: # ls -lZ /usr/bin/fail2ban-client /var/run/fail2ban/fail2ban.sock -rwxr-xr-x. 1 root root system_u:object_r:bin_t 11494 Dec 10 22:23 /usr/bin/fail2ban-client srwx------. 1 root root system_u:object_r:fail2ban_var_run_t 0 Dec 17 00:50 /var/run/fail2ban/fail2ban.sock restart now shows: # /etc/init.d/fail2ban restart Authenticating xxxxx. Password: * Caching service dependencies ... [ ok ] * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Stopping fail2ban ... [ ok ] * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Starting fail2ban ... login with my name then sudo -s gives: # id -Z root:sysadm_r:sysadm_t
The contexts match what I have here, so hopefully are okay. You indeed have to re-authenticate often, see http://www.gentoo.org/proj/en/hardened/selinux-faq.xml#auth-run_init (Why do I always need to re-authenticate when operating init scripts). It looks like your context is correct. I don't know if you are already running in enforcing mode or not, but if you aren't, can you do something equivalent to this? # rc-service fail2ban stop # > /var/log/avc.log # setenforce 1 # rc-service fail2ban start # setenforce 0 and then look at /var/log/avc.log (perhaps wgetpaste it by then so that future additions aren't going to clutter it) again? Also, if fail2ban starts well with that, wait with "setenforce 0" and have it running for a while. Note however that, as long as you don't "setenforce 0" SELinux will be running in enforcing mode, so other operations that you do on your system might feel this effect as well.
setenforce 1 caused a few messages... (> 75614). Those 75K messages a mostly of the amavis kind (245) or radvd disallowed to read a rawip socket. (75350) [ type=AVC msg=audit(1325004244.152:174306): avc: denied { read } for pid=20724 comm="radvd" lport=58 scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=rawip_socket ] None of fail2ban were seen. (btw. the /var/log/avc.log is still empty, those messages are from the audit.log{,.[1-3]} using the auditd daemon). I'll try again with radvd (routing advertiser for IPv6) temporary stopped. Giving about ~1.6MB of logging http://dpaste.com/678349/ (audit.log.gz compressed) The amavis errors ARE related, because amavis sends a mail to indicate a state change (start -> stop & stop->start) and probably any access to the amavis partion (mounted as loopback because /var grew too small, selinux requires it to be on /var && [ mush less important /var is on a mirror disk & most of the amavis data (old spam messages ;-) doesn't need a mirror disk ] hence a mount -o loop /data/var_amavis.ext4 /var/amavis ... ) btw, fail2ban still uses the opts variable in stead of the extra_commands and complains
Oh, and mail delivery does fail during setenforce 1, they are passed on to the amavis manager, as UNCHECKED mail. So I intend to keep it unenforcing for now.
Okay, amavis issues are related because they are triggered, but they aren't related to the fail2ban SELinux domain definition. I noticed that you opened a new bug for the radvd issue - that's good. Regarding the amavis one, that wouldn't be bad either. I don't think the issue is with amavis but rather how the loop device is mounted and which label(s) it gets. To debug that, we'd need to do the entire loop-mounting thing step be step and watch the first denials there (and not the denials we get after it is mounted). Okay if I close down the fail2ban one (this one) and look at the radvd separately? It looks like radvd requires its own domain (it is currently running in sysadm_t)...
Ok, I just checked dpaste and it looks horrible. I grepped relevant parts from the original log file (non loop & AVC only): type=AVC msg=audit(1325005122.281:181730): avc: denied { read } for pid=8881 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325005122.290:181731): avc: denied { read } for pid=8882 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325005122.296:181732): avc: denied { read } for pid=8883 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325005122.300:181733): avc: denied { read } for pid=8884 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325005139.270:187162): avc: denied { search } for pid=8911 comm="fail2ban-server" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1325005139.694:187163): avc: denied { search } for pid=8915 comm="gam_server" name="root" dev=md3 ino=468641 scontext=system_u:system_r:fail2ban_t tcontext=root:object_r:user_home_dir_t tclass=dir type=AVC msg=audit(1325005140.029:187164): avc: denied { dac_read_search } for pid=8915 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability type=AVC msg=audit(1325005141.299:187683): avc: denied { read } for pid=8947 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file The passwd&group ones probably are the ones that have to do with the state change. So if you think the others are normal then it can be closed.
Direct access to shadow_t is never allowed, so that is to be expected. I am wondering a bit why that "exe" process would want to read /etc/shadow. This should *never* be allowed. There are some messages about fail2ban trying to search through /home. Is this needed for anything? If so, we need to know why (just allowing search through /home won't suffice). The last remaining hurdles I see are these: type=AVC msg=audit(1325005139.694:187163): avc: denied { search } for pid=8915 comm="gam_server" name="root" dev=md3 ino=468641 scontext=system_u:system_r:fail2ban_t tcontext=root:object_r:user_home_dir_t tclass=dir type=AVC msg=audit(1325005140.029:187164): avc: denied { dac_read_search } for pid=8915 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability From the looks of it, fail2ban launches gam_server. We probably need to create a separate policy for gam_server and allow fail2ban to call it. But to do so, I'll need to setup a guest that runs fail2ban and gamin. You know any good pointers for this?
about gamin: emerge gamin libgamin emerge fail2ban # needs to be done as the autoconfigure tests for gamin that should suffice. gamin doesn't need any configuration. The application sends it a list of files to monitor. And indeed, the gamin server is started by the application needing it. The home directory most probably is because that was my default directory.
maybe emerge gamin libgamin can also be replaced with: emerge -1 gamin libgamin emerge virtual/fam Getting a little less crowded world file.
Okay, got it working - was indeed not that difficult. To support FAM I had to add some more privileges. However, unlike earlier, I don't think it is wise to create a separate domain for gam_server. Its functionality would require that domain to have read access (or at least getattr, whatever it uses) to every possible file, whereas fail2ban needs this on log files. And I only had to do one rule to give it FAM support as well: read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) This is because gam_server wants to read /proc/self/* files (which are labeled fail2ban_t here). I did disable the sendmail-whois action not to clutter the logs, but will focus on that now to get that working as well.
Okay, I also have the errors like: avc: denied { read write } for pid=12345 comm="exim" path="socket[12345]" dev=sockfs ino=12345 scontext=system_u:system_r:exim_t tcontext=system_u:system_r:fail2ban_t tclass=unix_stream_socket On my system, it is system_mail_t (standard ssmtp install). However, it doesn't affect the functioning (I suspect this is the feedback from the sendmail application back to fail2ban) so it can be ignored. I will include dontaudit statements for that. I guess that should be all there is to it for this one.
In bug #396221 you mention that restarting fail2ban still gives you errors (now something about not being able to authenticate you). Before you restart, check that (1.) you are in sysadm_t domain (2.) fail2ban runs in fail2ban_t domain (3.) you restart it using /etc/init.d/fail2ban restart or rc-service fail2ban restart
Then I was in a hurry, now after normal login, + sudo this is the output, the clamscan related messages are probably something different. Now first time after setenforce 1: (The run_init hack you mentioned lately did help here, he password is asked... using /etc/init.d/fail2ban or rc-service fail2ban makes no difference. /etc/init.d/fail2ban restart Authenticating xxxxx. Password: * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Stopping fail2ban ... [ ok ] * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Starting fail2ban ... [ ok ] type=AVC msg=audit(1325199949.805:197685): avc: denied { read } for pid=26562 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325199949.810:197686): avc: denied { read } for pid=26563 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325199949.816:197687): avc: denied { read } for pid=26564 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325199961.673:197692): avc: denied { search } for pid=26589 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199961.729:197693): avc: denied { search } for pid=26590 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199963.079:197697): avc: denied { search } for pid=26614 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199963.240:197698): avc: denied { search } for pid=26616 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199966.271:197699): avc: denied { search } for pid=26621 comm="fail2ban-server" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1325199966.996:197700): avc: denied { dac_read_search } for pid=8915 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability type=AVC msg=audit(1325199968.048:197707): avc: denied { search } for pid=26651 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199968.102:197708): avc: denied { search } for pid=26652 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199968.663:197709): avc: denied { search } for pid=26658 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir type=AVC msg=audit(1325199968.716:197710): avc: denied { search } for pid=26659 comm="clamdscan" name="tmp" dev=md5 ino=275303 scontext=system_u:system_r:clamscan_t tcontext=system_u:object_r:amavis_var_lib_t tclass=dir And a second one: fails /etc/init.d/fail2ban restart cannot find your entry in the passwd file. Authentication failed. With audit records...: type=AVC msg=audit(1325200201.944:197713): avc: denied { read } for pid=26711 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325200366.091:197730): avc: denied { read } for pid=26738 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325200366.097:197731): avc: denied { read } for pid=26739 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325200366.102:197732): avc: denied { read } for pid=26740 comm="exe" name="group" dev=md3 ino=908224 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file type=AVC msg=audit(1325200370.507:197733): avc: denied { read } for pid=26742 comm="exe" name="passwd" dev=md3 ino=908369 scontext=system_u:system_r:initrc_t tcontext=root:object_r:shadow_t tclass=file The context start with: id -Z root:sysadm_r:sysadm_t
You have any idea what this "exe" process is?
selinux-fail2ban-2.20110726-r2 is in hardened-dev overlay Please test this policy. If things still fail, please include both the output on-screen (how did you trigger it), fail2ban's log (/var/log/fail2ban.log) as well as the related denials (usually found through "grep fail2ban_t /var/log/avc.log").
(In reply to comment #34) > You have any idea what this "exe" process is? I don't have the faintest idea. The only references i found are the /proc/[0-9]+/exe /proc/[0-9]+/task/[0-9]+/exe symlinks pointing to the executables. I thought it was something from within the rc system.
# /etc/init.d/fail2ban restart Authenticating root. Password: * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Stopping fail2ban ... [ ok ] * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Starting fail2ban ... * Failed to start fail2ban [ !! ] * ERROR: fail2ban failed to start firewall ~ # tail /var/log/everything/current Dec 31 04:20:08 [pppd] Connect time 13320.4 minutes. Dec 31 04:20:08 [pppd] Sent 1701277214 bytes, received 3166309510 bytes. Dec 31 04:20:08 [radvd] attempting to reread config file Dec 31 04:20:08 [radvd] Warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Dec 31 04:20:08 [radvd] Warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster Dec 31 04:20:08 [radvd] Warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Dec 31 04:20:08 [radvd] Warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster Dec 31 04:20:08 [pppd] Failed to disconnect PPPoE socket: 13 Permission denied Dec 31 04:20:08 [pppd] Modem hangup Dec 31 04:20:08 [radvd] resuming normal operation firewall ~ # /etc/init.d/fail2ban start Authenticating root. Password: * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Starting fail2ban ... * Failed to start fail2ban [ !! ] * ERROR: fail2ban failed to start firewall ~ # tail /var/log/fail fail2ban.log fail2ban.log-20111226.gz fail2ban.log-20111228.gz fail2ban.log-20111230.gz faillog fail2ban.log-20111225.gz fail2ban.log-20111227.gz fail2ban.log-20111229.gz fail2ban.log-20111231.gz firewall ~ # tail /var/log/fail2ban.log 2011-12-31 03:10:13,128 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2011-12-31 04:19:16,351 fail2ban.jail : INFO Jail 'sip-iptables' stopped 2011-12-31 04:19:16,470 fail2ban.actions: WARNING [ssh-iptables] Unban 74.86.227.50 2011-12-31 04:19:16,583 fail2ban.actions: WARNING [ssh-iptables] Unban 178.211.55.46 2011-12-31 04:19:17,042 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2011-12-31 04:19:17,093 fail2ban.server : INFO Exiting Fail2ban firewall ~ # fail fail2ban-regex faillog firewall ~ # fail fail2ban-regex faillog firewall ~ # setenforce 0 firewall ~ # /etc/init.d/fail2ban start Authenticating root. * Use of the opts variable is deprecated and will be * removed in the future. * Please use extra_commands or extra_started_commands. * Starting fail2ban ... [ ok ] # id -Z root:sysadm_r:sysadm_t # tail -n 50 /var/log/fail2ban.log 2011-12-31 03:10:13,128 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2011-12-31 04:19:16,351 fail2ban.jail : INFO Jail 'sip-iptables' stopped 2011-12-31 04:19:16,470 fail2ban.actions: WARNING [ssh-iptables] Unban 74.86.227.50 2011-12-31 04:19:16,583 fail2ban.actions: WARNING [ssh-iptables] Unban 178.211.55.46 2011-12-31 04:19:17,042 fail2ban.jail : INFO Jail 'ssh-iptables' stopped 2011-12-31 04:19:17,093 fail2ban.server : INFO Exiting Fail2ban 2011-12-31 04:22:01,166 fail2ban.server : INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.4 2011-12-31 04:22:01,170 fail2ban.jail : INFO Creating new jail 'ssh-iptables' 2011-12-31 04:22:01,192 fail2ban.jail : INFO Jail 'ssh-iptables' uses Gamin 2011-12-31 04:22:01,499 fail2ban.filter : INFO Added logfile = /var/log/sshd/current 2011-12-31 04:22:01,501 fail2ban.filter : INFO Set maxRetry = 3 2011-12-31 04:22:01,510 fail2ban.filter : INFO Set findtime = 3600 2011-12-31 04:22:01,515 fail2ban.actions: INFO Set banTime = 172800 2011-12-31 04:22:01,765 fail2ban.jail : INFO Creating new jail 'sip-iptables' 2011-12-31 04:22:01,766 fail2ban.jail : INFO Jail 'sip-iptables' uses Gamin 2011-12-31 04:22:01,775 fail2ban.filter : INFO Added logfile = /var/log/asterisk/full 2011-12-31 04:22:01,780 fail2ban.filter : INFO Set maxRetry = 10 2011-12-31 04:22:01,789 fail2ban.filter : INFO Set findtime = 3600 2011-12-31 04:22:01,793 fail2ban.actions: INFO Set banTime = 172800 2011-12-31 04:22:01,901 fail2ban.jail : INFO Jail 'ssh-iptables' started 2011-12-31 04:22:01,918 fail2ban.jail : INFO Jail 'sip-iptables' started 2011-12-31 04:22:02,088 fail2ban.actions.action: ERROR iptables -N fail2ban-SIP iptables -A fail2ban-SIP -j RETURN iptables -I INPUT -p udp --dport 5060 -j fail2ban-SIP returned 200 cat audit.log : grep fail2ban | grep avc: type=AVC msg=audit(1325301554.834:202337): avc: denied { search } for pid=8228 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1325301557.898:202351): avc: denied { search } for pid=8272 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1325301560.106:202354): avc: denied { execute_no_trans } for pid=8277 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1325301560.112:202355): avc: denied { execute_no_trans } for pid=8277 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1325301648.805:202476): avc: denied { search } for pid=8730 comm="fail2ban-client" name="home" dev=md3 ino=420161 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:home_root_t tclass=dir type=AVC msg=audit(1325301649.702:202477): avc: denied { execute_no_trans } for pid=8731 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1325301649.706:202478): avc: denied { execute_no_trans } for pid=8731 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1325301719.759:202483): avc: denied { search } for pid=8749 comm="fail2ban-client" name="nico" dev=md3 ino=420163 scontext=system_u:system_r:fail2ban_t tcontext=staff_u:object_r:user_home_dir_t tclass=dir type=AVC msg=audit(1325301720.655:202484): avc: denied { execute_no_trans } for pid=8750 comm="fail2ban-client" path="/usr/bin/fail2ban-server" dev=md3 ino=598793 scontext=system_u:system_r:fail2ban_t tcontext=system_u:object_r:fail2ban_exec_t tclass=file type=AVC msg=audit(1325301721.772:202485): avc: denied { dac_read_search } for pid=8754 comm="gam_server" capability=2 scontext=system_u:system_r:fail2ban_t tcontext=system_u:system_r:fail2ban_t tclass=capability
It looks like your client is still marked as fail2ban_exec_t instead of bin_t ? The denials show that fail2ban_t tries to execute something labeled fail2ban_exec_t.
Yep: firewall ~ # ls -lZ /usr/bin/fail2ban-* -rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 11494 Dec 10 22:23 /usr/bin/fail2ban-client -rwxr-xr-x. 1 root root system_u:object_r:bin_t 10703 Dec 10 22:23 /usr/bin/fail2ban-regex -rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 4223 Dec 10 22:23 /usr/bin/fail2ban-server firewall ~ # rlpkg -r fail2ban Relabeling: net-analyzer/fail2ban-0.8.4-r3 firewall ~ # ls -lZ /usr/bin/fail2ban-* -rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 11494 Dec 10 22:23 /usr/bin/fail2ban-client -rwxr-xr-x. 1 root root system_u:object_r:bin_t 10703 Dec 10 22:23 /usr/bin/fail2ban-regex -rwxr-xr-x. 1 root root system_u:object_r:fail2ban_exec_t 4223 Dec 10 22:23 /usr/bin/fail2ban-server # eix fail2ban [I] net-analyzer/fail2ban Available versions: 0.8.4-r3 ~0.8.4-r4 ~0.8.6 {selinux} Installed versions: 0.8.4-r3(22:23:51 12/10/11)(selinux) Homepage: http://fail2ban.sourceforge.net/ Description: Bans IP that make too many password failures * net-analyzer/nagios-check_fail2ban Available versions: ~3 Homepage: https://github.com/hollow/check_fail2ban Description: A nagios plugin for checking the fail2ban daemon [I] sec-policy/selinux-fail2ban Available versions: 2.20110726 (~)2.20110726-r1 (~)2.20110726-r2[1] Installed versions: 2.20110726-r2[1](02:40:47 12/31/11) Homepage: http://www.gentoo.org/proj/en/hardened/selinux/ Description: SELinux policy for fail2ban [1] "hardened-dev" /var/lib/layman/hardened-development So where did it go wrong? This maybe: # cat /etc/selinux/strict/contexts/files/file_contexts.local # This file is auto-generated by libsemanage # Do not edit directly. /usr/bin/fail2ban-client system_u:object_r:fail2ban_exec_t Yep... Removing that * rlpkg again solved it.. now as the file is auto generated will it come back?
Is it possible to dump/decompile a .pp file? (I understand the comments are gone ;-) Or are the sources kept somewhere?
It will come back unless you deregister it: semanage fcontext -d -t fail2ban_exec_t "/usr/bin/fail2ban-client" There are some tools (but not available on Gentoo) that decompose a .pp module, but I heard little success on this. But if you want to see the sources, try "ebuild /usr/portage/sec-policy/selinux-fail2ban/selinux-fail2ban-2.20110726-r1.ebuild prepare", then go to /var/tmp/portage/sec-policy/selinux-fail2ban/work/strict and you'll find the fail2ban sources. Substitute the path with the correct one of course (for instance, the overlays by layman are somewhere in /var/lib/layman).
Pushed to main tree, ~arch
Marked stable