[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fail2ban and SELinux



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

max bianco wrote:
> On Thu, Apr 17, 2008 at 1:37 PM, max bianco <maximilianbianco gmail com> wrote:
>> On Thu, Apr 17, 2008 at 1:22 PM, max bianco <maximilianbianco gmail com> wrote:
>>  >
>>  > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh <dwalsh redhat com> wrote:
>>  >  >
>>  >  > -----BEGIN PGP SIGNED MESSAGE-----
>>  >  >  Hash: SHA1
>>  >  >
>>  >  >  max bianco wrote:
>>  >  >  > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh <dwalsh redhat com> wrote:
>>  >  >  >> -----BEGIN PGP SIGNED MESSAGE-----
>>  >  >  >>  Hash: SHA1
>>  >  >  >>
>>  >  >  >>
>>  >  >  >>
>>  >  >  >> max wrote:
>>  >  >  >>  > Daniel J Walsh wrote:
>>  >  >  >>  >> -----BEGIN PGP SIGNED MESSAGE-----
>>  >  >  >>  >> Hash: SHA1
>>  >  >  >>  >>
>>  >  >  >>  >> max bianco wrote:
>>  >  >  >>  >>> I recently installed fail2ban on my F8 box. I don't allow remote
>>  >  >  >>  >>> access to my box but it had been mentioned recently so I decided to
>>  >  >  >>  >>> test it out. I installed it a few days ago but didn't do anything with
>>  >  >  >>  >>> it till last night. I had forgotten about it but I was perusing log
>>  >  >  >>  >>> files and saw 21 AVC's related it to it. I pulled up my services gui
>>  >  >  >>  >>> and sure enough it wasn't running. I tried to start it and got
>>  >  >  >>  >>> denied(it wouldn't start from a terminal at all, complaining that the
>>  >  >  >>  >>> service is unrecognized). No problem , i expected as much when I saw
>>  >  >  >>  >>> the AVC's in my log files but I always try things more than once so I
>>  >  >  >>  >>> tried to start it a second time and this time and every time after it
>>  >  >  >>  >>> started without generating a denial. Is this because I manually
>>  >  >  >>  >>> started the service? That doesn't make sense because then it would
>>  >  >  >>  >>> have worked the first time as well but it didn't. I see that there is
>>  >  >  >>  >>> a policy module for fail2ban but if the module is in place then
>>  >  >  >>  >>> shouldn't it have run without issues? Why 21 AVC's and then its
>>  >  >  >>  >>> working? I am learning my way around SELinux but I don't feel
>>  >  >  >>  >>> comfortable enough to troubleshoot this problem correctly, so where do
>>  >  >  >>  >>> I start?
>>  >  >  >>  >>>
>>  >  >  >>  >>> Max
>>  >  >  >>  >>>
>>  >  >  >>  >>> --
>>  >  >  >>  >>> fedora-selinux-list mailing list
>>  >  >  >>  >>> fedora-selinux-list redhat com
>>  >  >  >>  >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>  >  >  >>  >> Was there a policy upgrade during this time?  Problem might have been
>>  >  >  >>  >> fixed.
>>  >  >  >>  >>
>>  >  >  >>  > The time between my first manual attempt to start fail2ban,which
>>  >  >  >>  > generated an SELinux Denial, and the second, which started the service,
>>  >  >  >>  > was about 30 seconds. I checked the logs again today this is a portion
>>  >  >  >>  > of the output from yesterday and today :
>>  >  >  >>  >
>>  >  >  >>  >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
>>  >  >  >>  >> setroubleshoot generated AVC, exiting to avoid recursion,
>>  >  >  >>  >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
>>  >  >  >>  >> event#012host=localhost.localdomain type=AVC
>>  >  >  >>  >> msg=audit(1208229871.594:256): avc:  denied  { write } for  pid=2530
>>  >  >  >>  >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>>  >  >  >>  >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>>  >  >  >>  >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no
>>  >  >  >>  >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
>>  >  >  >>  >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>  >  >  >>  >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>>  >  >  >>  >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>>  >  >  >>  >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
>>  >  >  >>  >> setroubleshoot generated AVC, exiting to avoid recursion,
>>  >  >  >>  >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
>>  >  >  >>  >> event#012host=localhost.localdomain type=AVC
>>  >  >  >>  >> msg=audit(1208229871.595:257): avc:  denied  { write } for  pid=2530
>>  >  >  >>  >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>>  >  >  >>  >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>>  >  >  >>  >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no
>>  >  >  >>  >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
>>  >  >  >>  >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>  >  >  >>  >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>>  >  >  >>  >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>>  >  >  >>  >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing
>>  >  >  >>  >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete
>>  >  >  >>  >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144
>>  >  >  >>  >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>>  >  >  >>  >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t).
>>  >  >  >>  >> For complete SELinux messages. run sealert -l
>>  >  >  >>  >> 99f22448-5c31-4a6f-8f55-02f7404fba5d
>>  >  >  >>  >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>>  >  >  >>  >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
>>  >  >  >>  >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
>>  >  >  >>  >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
>>  >  >  >>  >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
>>  >  >  >>  >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
>>  >  >  >>  >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR]
>>  >  >  >>  >> setroubleshoot generated AVC, exiting to avoid recursion,
>>  >  >  >>  >> context=system_u:system_r:setroubleshootd_t:s0, AVC
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing
>>  >  >  >>  >> iptables (iptables_t) "read write" to socket (fail2ban_t). For
>>  >  >  >>  >> complete SELinux messages. run sealert -l
>>  >  >  >>  >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>>  >  >  >>  >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit
>>  >  >  >>  >> event#012host=localhost.localdomain type=AVC
>>  >  >  >>  >> msg=audit(1208294790.920:161): avc:  denied  { write } for  pid=2506
>>  >  >  >>  >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
>>  >  >  >>  >> scontext=system_u:system_r:setroubleshootd_t:s0
>>  >  >  >>  >> tcontext=system_u:object_r:rpm_var_lib_t:s0
>>  >  >  >>  >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
>>  >  >  >>  >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no
>>  >  >  >>  >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506
>>  >  >  >>  >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>  >  >  >>  >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
>>  >  >  >>  >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
>>  >  >  >>  >
>>  >  >  >>  > At this point Fail2ban reports it is running .That is only a small
>>  >  >  >>  > portion of what is generated but maybe it can give you an idea.
>>  >  >  >>  > Subsequently SETroubleshoot crashes, specifically it says: connection
>>  >  >  >>  > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is
>>  >  >  >>  > that I stopped the fail2ban service and rebooted but SETroubleshoot is
>>  >  >  >>  > still crashing, it will generate an AVC when I try to run it then all
>>  >  >  >>  > the output is lost before I can read the AVC.   As i have been flipping
>>  >  >  >>  > back and forth typing this, checking logs, restarting
>>  >  >  >>  > SETroubleshoot(about six or seven times now),  SETroubleshoot is now up
>>  >  >  >>  > and running like nothing happened. Now that SETroubleshoot is running I
>>  >  >  >>  > expected to find additional AVC's from today but the last one is from
>>  >  >  >>  > yesterday concerning fail2ban. The Alert Count should show 22 not 21
>>  >  >  >>  > like it does (if we count the one I got the first time i tried to start
>>  >  >  >>  > fail2ban manually)
>>  >  >  >>  >
>>  >  >  >>  >  This is the AVC i was getting from Fail2ban before all this ....stuff
>>  >  >  >>  > went haywire on me.
>>  >  >  >>  >
>>  >  >  >>  >
>>  >  >  >>  > Summary:
>>  >  >  >>  >
>>  >  >  >>  >  SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
>>  >  >  >>  >
>>  >  >  >>  > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  >>  >
>>  >  >  >>  > (rpm_t).
>>  >  >  >>  >
>>  >  >  >>  >  Detailed Description:
>>  >  >  >>  >
>>  >  >  >>  >  SELinux denied access requested by fail2ban-server. It is not expected
>>  >  >  >>  > that this
>>  >  >  >>  >  access is required by fail2ban-server and this access may signal an
>>  >  >  >>  > intrusion
>>  >  >  >>  >  attempt. It is also possible that the specific version or configuration
>>  >  >  >>  > of the
>>  >  >  >>  >  application is causing it to require additional access.
>>  >  >  >>  >
>>  >  >  >>  >  Allowing Access:
>>  >  >  >>  >
>>  >  >  >>  >  You can generate a local policy module to allow this access - see FAQ
>>  >  >  >>  > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
>>  >  >  >>  > disable
>>  >  >  >>  >  SELinux protection altogether. Disabling SELinux protection is not
>>  >  >  >>  > recommended.
>>  >  >  >>  >  Please file a bug report
>>  >  >  >>  > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>  >  >  >>  >  against this package.
>>  >  >  >>  >
>>  >  >  >>  >  Additional Information:
>>  >  >  >>  >
>>  >  >  >>  >  Source Context                system_u:system_r:fail2ban_t:s0
>>  >  >  >>  >  Target Context                system_u:system_r:rpm_t:s0
>>  >  >  >>  >  Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000
>>  >  >  >>  >
>>  >  >  >>  > 00000000000000000000000000000000000000000000000000
>>  >  >  >>  >
>>  >  >  >>  > 00000000000000000000000000000000000000000000000000
>>  >  >  >>  >
>>  >  >  >>  > 00000000000000000000000000000000000000000000000000
>>  >  >  >>  >                                0000000000000000 [ unix_stream_socket ]
>>  >  >  >>  >  Source                        fail2ban-server
>>  >  >  >>  >  Source Path                   /usr/bin/python
>>  >  >  >>  >  Port                          <Unknown>
>>  >  >  >>  >  Host                          localhost.localdomain
>>  >  >  >>  >  Source RPM Packages           python-2.5.1-15.fc8
>>  >  >  >>  >  Target RPM Packages
>>  >  >  >>  >  Policy RPM                    selinux-policy-3.0.8-95.fc8
>>  >  >  >>  >  Selinux Enabled               True
>>  >  >  >>  >  Policy Type                   targeted
>>  >  >  >>  >  MLS Enabled                   True
>>  >  >  >>  >  Enforcing Mode                Enforcing
>>  >  >  >>  >  Plugin Name                   catchall
>>  >  >  >>  >  Host Name                     localhost.localdomain
>>  >  >  >>  >  Platform                      Linux localhost.localdomain
>>  >  >  >>  > 2.6.24.4-64.fc8 #1 SMP
>>  >  >  >>  >                                Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
>>  >  >  >>  >  Alert Count                   21
>>  >  >  >>  >  First Seen                    Mon 14 Apr 2008 10:38:42 PM EDT
>>  >  >  >>  >  Last Seen                     Mon 14 Apr 2008 10:38:43 PM EDT
>>  >  >  >>  >  Local ID                      13bee4e4-ca74-488b-a4df-15f5bf78987f
>>  >  >  >>  > Line Numbers
>>  >  >  >>  >
>>  >  >  >>  >  Raw Audit Messages
>>  >  >  >>  >
>>  >  >  >>  >  host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc:
>>  >  >  >>  >  denied  { connectto } for  pid=6314 comm="fail2ban-server"
>>  >  >  >>  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  >>  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  >>  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  >>  >
>>  >  >  >>  >  host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107):
>>  >  >  >>  > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e
>>  >  >  >>  > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
>>  >  >  >>  > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server"
>>  >  >  >>  > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  >>  >
>>  >  >  >>  >
>>  >  >  >>  > Now that I have SETroubleshoot running i tried the sealert command
>>  >  >  >>  > suggested in the log files :
>>  >  >  >>  >
>>  >  >  >>  > [root localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>>  >  >  >>  > failed to connect to server: Connection refused
>>  >  >  >>  > [root localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
>>  >  >  >>  > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not
>>  >  >  >>  > found
>>  >  >  >>  >
>>  >  >  >>  > Ran it twice, second time it worked.
>>  >  >  >>  > I hope i'm not confusing anyone , i'll repost the order of events if
>>  >  >  >>  > need be. I hesitate to file a bug when it could just be me making rookie
>>  >  >  >>  > mistakes.  I will try to reproduce again tomorrow on this box and my
>>  >  >  >>  > other F8 to see what I can see but if you have any advice it would be
>>  >  >  >>  > gratefully received.
>>  >  >  >>  >
>>  >  >  >>  >
>>  >  >  >>  > Max
>>  >  >  >>  >
>>  >  >  >>  Please send me your /var/log/audit/audit.log
>>  >  >  >>
>>  >  >  >> -----BEGIN PGP SIGNATURE-----
>>  >  >  >>  Version: GnuPG v1.4.9 (GNU/Linux)
>>  >  >  >>  Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>>  >  >  >>
>>  >  >  >>  iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW
>>  >  >  >>  GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c
>>  >  >  >>  =ayhr
>>  >  >  >>  -----END PGP SIGNATURE-----
>>  >  >  >>
>>  >  >  > Looks like several drafts of my mail hit the list, sorry about that
>>  >  >  > but I had to revise once setroubleshoot started working. Strange, i'll
>>  >  >  > have to look into it later or maybe its just gmail or thunderbird(time
>>  >  >  > to fire up wireshark!!). Anyway I'll send the audit.log from that box
>>  >  >  > once I get back to it. Different F8 box(i686), installed fail2ban,
>>  >  >  > started service and generated AVC(almost identical) but SETroubleshoot
>>  >  >  > doesn't crash like it does on the x86_64 box at least not so far. All
>>  >  >  > of the following is from the i686 box , a portion of audit.log follows
>>  >  >  > this AVC:
>>  >  >  >
>>  >  >  >
>>  >  >  > Summary:
>>  >  >  >
>>  >  >  > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
>>  >  >  > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > (rpm_t).
>>  >  >  >
>>  >  >  > Detailed Description:
>>  >  >  >
>>  >  >  > SELinux denied access requested by fail2ban-server. It is not expected that this
>>  >  >  > access is required by fail2ban-server and this access may signal an intrusion
>>  >  >  > attempt. It is also possible that the specific version or configuration of the
>>  >  >  > application is causing it to require additional access.
>>  >  >  >
>>  >  >  > Allowing Access:
>>  >  >  >
>>  >  >  > You can generate a local policy module to allow this access - see FAQ
>>  >  >  > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
>>  >  >  > SELinux protection altogether. Disabling SELinux protection is not recommended.
>>  >  >  > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>>  >  >  > against this package.
>>  >  >  >
>>  >  >  > Additional Information:
>>  >  >  >
>>  >  >  > Source Context                system_u:system_r:fail2ban_t
>>  >  >  > Target Context                system_u:system_r:rpm_t
>>  >  >  > Target Objects                002F746D702F66616D2D726F6F742D00000000000000000000
>>  >  >  >                               00000000000000000000000000000000000000000000000000
>>  >  >  >                               00000000000000000000000000000000000000000000000000
>>  >  >  >                               00000000000000000000000000000000000000000000000000
>>  >  >  >                               0000000000000000 [ unix_stream_socket ]
>>  >  >  > Source                        fail2ban-server
>>  >  >  > Source Path                   /usr/bin/python
>>  >  >  > Port                          <Unknown>
>>  >  >  > Host                          localhost.localdomain
>>  >  >  > Source RPM Packages           python-2.5.1-15.fc8
>>  >  >  > Target RPM Packages
>>  >  >  > Policy RPM                    selinux-policy-3.0.8-95.fc8
>>  >  >  > Selinux Enabled               True
>>  >  >  > Policy Type                   targeted
>>  >  >  > MLS Enabled                   True
>>  >  >  > Enforcing Mode                Enforcing
>>  >  >  > Plugin Name                   catchall
>>  >  >  > Host Name                     localhost.localdomain
>>  >  >  > Platform                      Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
>>  >  >  >                               Sat Mar 29 09:54:46 EDT 2008 i686 athlon
>>  >  >  > Alert Count                   26
>>  >  >  > First Seen                    Wed 16 Apr 2008 08:39:06 AM EDT
>>  >  >  > Last Seen                     Wed 16 Apr 2008 08:39:08 AM EDT
>>  >  >  > Local ID                      ede0cda2-138a-4222-936b-289297d95cee
>>  >  >  > Line Numbers
>>  >  >  >
>>  >  >  > Raw Audit Messages
>>  >  >  >
>>  >  >  > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc:
>>  >  >  >  denied  { connectto } for  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  >
>>  >  >  > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47):
>>  >  >  > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0
>>  >  >  > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0
>>  >  >  > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
>>  >  >  > comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  >
>>  >  >  >
>>  >  >  >
>>  >  >  >
>>  >  >  >
>>  >  >  >
>>  >  >  > I am posting a portion of the audit.log relating to fail2ban as the
>>  >  >  > entire log is quite large. If you want the whole thing unedited then I
>>  >  >  > will attach it. I think this should be more than enough, i didn't
>>  >  >  > parse it , just a simple copy and paste. I don't know what you may or
>>  >  >  > may not find relevant here so it goes from a couple of entries before
>>  >  >  > fail2ban is mentioned and a few after the last mention of fail2ban.
>>  >  >  > Most of the entries look identical and end in key=(null) maybe i could
>>  >  >  > just dismiss it but i take all the AVC's seriously until I know
>>  >  >  > better:
>>  >  >  >
>>  >  >  >
>>  >  >  > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
>>  >  >  > (hostname=?, addr=?, terminal=? res=success)'
>>  >  >  > type=AVC msg=audit(1208349546.967:22): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349546.976:23): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.028:24): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.080:25): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.132:26): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.184:27): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.236:28): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.288:29): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.341:30): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.393:31): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.445:32): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.497:33): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.549:34): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.601:35): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.651:36): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.702:37): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.752:38): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.803:39): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.853:40): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.904:41): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349547.954:42): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349548.004:43): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349548.054:44): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349548.105:45): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349548.155:46): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=AVC msg=audit(1208349548.205:47): avc:  denied  { connectto } for
>>  >  >  >  pid=3045 comm="fail2ban-server"
>>  >  >  > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>>  >  >  > scontext=system_u:system_r:fail2ban_t:s0
>>  >  >  > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
>>  >  >  > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102
>>  >  >  > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
>>  >  >  > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>  >  >  > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
>>  >  >  > subj=system_u:system_r:fail2ban_t:s0 key=(null)
>>  >  >  > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper"
>>  >  >  > (hostname=?, addr=?, terminal=? res=success)'
>>  >  >  > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper"
>>  >  >  > (hostname=?, addr=?, terminal=? res=success)'
>>  >  >  > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
>>  >  >  > (hostname=?, addr=?, terminal=? res=success)'
>>  >  >  > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?,
>>  >  >  > addr=?, terminal=pts/1 res=success)'
>>  >  >  > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?,
>>  >  >  > terminal=pts/1 res=success)'
>>  >  >  > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500
>>  >  >  > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
>>  >  >  > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?,
>>  >  >  > terminal=pts/1 res=success)'
>>  >  >  >
>>  >  >  > Thanks for the help,
>>  >  >  >
>>  >  >  This is either a leaked file descriptor or gam_server running as rpm_t.
>>  >  >
>>  >  >  ps -eZ | grep rpm_t
>>  >  >
>>  >  >  failtoban should not be trying to communicate with a service running
>>  >  >  rpm_t.  If you find gam_server running as rpm_t kill it and fail2ban
>>  >  >  should work.
>>  >  >
>>  >  >
>>  >  [root localhost ~]# ps -eZ | grep rpm_t
>>  >  system_u:system_r:rpm_t          2585 ?        00:00:00 yum-updatesd
>>  >  system_u:system_r:rpm_t          2587 ?        00:00:00 gam_server
>>  >
>>  >  I'll kill the gam_server as you suggest. I will try same on x86_64 box
>>  >  to see if its the same problem. If its not then i will post the
>>  >  audit.log from it that I promised yesterday. Either way I'll post back
>>  >  once i get in front of other f8 box.
>>  >
>>  >  Thanks again,
>>  >
>>  >  Max
>>  >
>>  I'm not in front of the other box yet but I killed the other instance
>>  of gam_server and reran the command.
>>
>> [root localhost ~]# ps -eZ | grep rpm_t
>>  system_u:system_r:rpm_t          2585 ?        00:00:00 yum-updatesd
>>  system_u:system_r:rpm_t          4074 ?        00:00:00 gam_server
>>
>>  it came back right away so I killed it again and rechecked several
>>  times and now it appears to have finally died.
>>  [root localhost ~]# kill 4074
>>
>>
>> [root localhost ~]# ps -eZ | grep rpm_t
>>  system_u:system_r:rpm_t          2585 ?        00:00:00 yum-updatesd
>>
>>
>>  Max
>>
> Gmail is buggy for some reason. I' ll try and keep this coherent. On
> the  i686 box, after I found and killed gam_server( i had to do it
> twice for it to stay dead) I then got a couple more AVC's (posting
> AVC's and observations follow):
> 
> SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by iptables. It is not expected that this access
> is required by iptables and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:iptables_t
> Target Context                system_u:system_r:fail2ban_t
> Target Objects                socket [ unix_stream_socket ]
> Source                        iptables
> Source Path                   /sbin/iptables
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           iptables-1.3.8-6.fc8
> Target RPM Packages
> Policy RPM                    selinux-policy-3.0.8-95.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
>                               Sat Mar 29 09:54:46 EDT 2008 i686 athlon
> Alert Count                   12
> First Seen                    Thu 17 Apr 2008 01:47:41 PM EDT
> Last Seen                     Thu 17 Apr 2008 02:19:47 PM EDT
> Local ID                      b0d85376-fbd1-48a7-8dff-65a0ff3c4148
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
>  denied  { read write } for  pid=4622 comm="iptables"
> path="socket:[35210]" dev=sockfs ino=35210
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
>  denied  { read write } for  pid=4622 comm="iptables"
> path="socket:[35227]" dev=sockfs ino=35227
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
>  denied  { read write } for  pid=4622 comm="iptables"
> path="socket:[35683]" dev=sockfs ino=35683
> scontext=system_u:system_r:iptables_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77):
> arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998
> a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables"
> exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
> 

These are leaked file descriptors from fail2ban and should be reported
to them.

fcntl(fd, F_SETFD, FD_CLOSEXEC)

Should be called on all open file descriptors.
> 
> 
> Ok. That one is about iptables. Soon as I started fail2ban , the log
> showed 3 AVC's as above. Stop Fail2ban and three more generated. Did
> it twice to see if it was consistent. Started fail2ban twice, each
> time I started it generated 3 AVC's as above, same when I stopped it ,
> generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban,
> within a couple of minutes(can't be more exact didn't have a stop
> watch) saw a new AVC(only after it stops, observations follow AVC):
> 
> Summary:
> 
> SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by gam_server. It is not expected that this
> access is required by gam_server and this access may signal an intrusion
> attempt. It is also possible that the specific version or configuration of the
> application is causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:fail2ban_t
> Target Context                system_u:object_r:fs_t
> Target Objects                / [ filesystem ]
> Source                        gam_server
> Source Path                   <Unknown>
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages
> Target RPM Packages           filesystem-2.4.11-1.fc8
> Policy RPM                    selinux-policy-3.0.8-95.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
>                               Sat Mar 29 09:54:46 EDT 2008 i686 athlon
> Alert Count                   2
> First Seen                    Thu 17 Apr 2008 01:52:02 PM EDT
> Last Seen                     Thu 17 Apr 2008 02:20:17 PM EDT
> Local ID                      9ce8514d-7677-4bb5-a59d-f70c8e8c755f
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc:
>  denied  { getattr } for  pid=4573 comm="gam_server" name="/" dev=dm-0
> ino=2 scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
> 
> 
> Ok. After I stop Fail2ban i get one instance of this AVC related to
> gam_server. I started and stopped Fail2ban twice so two AVC's related
> to gam_server, once after each time I stop fail2ban. No I don't think
> anyone is stupid, just being clear for my sake and yours. Also ran :
> ps -eZ | grep rpm_t   gam_server still dead. That was on i686 box. BTW
> had to kill gam_server twice on x86_64 box for it to stay dead, same
> as on i686. The x86_64 box is the same for the iptables AVC. Same
> ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when
> stopping fail2ban. The difference is that the AVC generated after you
> stop fail2ban is related to sendmail(observations follow AVC):
> 
> Summary:
> 
> SELinux is preventing sendmail (system_mail_t) "read write" to socket
> (fail2ban_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by sendmail. It is not expected that this access
> is required by sendmail and this access may signal an intrusion attempt. It is
> also possible that the specific version or configuration of the application is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> SELinux protection altogether. Disabling SELinux protection is not recommended.
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
> 
> Additional Information:
> 
> Source Context                system_u:system_r:system_mail_t:s0
> Target Context                system_u:system_r:fail2ban_t:s0
> Target Objects                socket [ unix_stream_socket ]
> Source                        sendmail
> Source Path                   /usr/sbin/sendmail.sendmail
> Port                          <Unknown>
> Host                          localhost.localdomain
> Source RPM Packages           sendmail-8.14.2-1.fc8
> Target RPM Packages
> Policy RPM                    selinux-policy-3.0.8-95.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   catchall
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
>                               Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
> Alert Count                   2
> First Seen                    Thu 17 Apr 2008 08:28:37 PM EDT
> Last Seen                     Thu 17 Apr 2008 08:30:34 PM EDT
> Local ID                      10c3cca0-4bc2-4fcf-845a-0b0cc2793482
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
>  denied  { read write } for  pid=3345 comm="sendmail"
> path="socket:[22805]" dev=sockfs ino=22805
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
>  denied  { read write } for  pid=3345 comm="sendmail"
> path="socket:[22823]" dev=sockfs ino=22823
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
>  denied  { read write } for  pid=3345 comm="sendmail"
> path="socket:[23071]" dev=sockfs ino=23071
> scontext=system_u:system_r:system_mail_t:s0
> tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31):
> arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0
> a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0
> gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
> comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
> subj=system_u:system_r:system_mail_t:s0 key=(null)
Leaked file descriptor

> 
> Checked processes on x86_64 no sendmail was or is running. Service
> isn't usually running and isn't now.
> Looks like a policy bug or both boxes have been tampered with, you
> tell me, Sulphur is here so they will get nuked soon enough. The
> sendmail bug may explain the strange behavior I have seen out of
> Thunderbird and Gmail but sendmail AVC is only generated on x86_64
> box, which incidentally is where I saw wierd behavior out of
> Thunderbird but that may be separate issue, I don't think there is
> enough evidence yet to make that conclusion despite my feeling that it
> is related, i'll just have to keep my eyes peeled. I would file a bug
> report but I'd like to understand this first so I might suggest, even
> if I can't code, a fix but if you have to explain it ...the bug would
> end up being read by someone that subscribes to this list so.....let
> me know, I will file it if you ask me to. If logs, etc are needed I
> will supply them but if its a genuine bug it should be easily
> reproducible in under 30 minutes. I checked for processes running as
> fs_t and system_mail_t before, during, and after starting/stopping
> fail2ban on x86_64 box, I don't see anything. I feel like i am
> forgetting something, anyway let me know about the bug report or if
> you want more logs etc...
> 
> Thanks,
> 
> Max

The problems reported are in fail2ban except for the gam_server problem.

I will add fixes in the next update for Fedora 8 selinux-policy-3.0.8-101
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkgM76MACgkQrlYvE4MpobNrGwCfXl9F8ypMLfql6is9LjjDzfkm
vY8AmgI2f9X78n0y2sWr81R//JIfKUgh
=9y0s
-----END PGP SIGNATURE-----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]