Selinux & Fail2Ban

Dominick Grift domg472 at gmail.com
Tue Dec 8 20:57:29 UTC 2009 

On Tue, Dec 08, 2009 at 08:43:32PM +0000, Arthur Dent wrote:
> On Mon, 2009-12-07 at 23:51 +0100, Dominick Grift wrote:
> 
> > > > > > > > > [Snip]
> 
> > > > > 
> > > > > # matchpathcon /usr/bin/fail2ban-server
> > > > > /usr/bin/fail2ban-server	system_u:object_r:fail2ban_exec_t:s0
> > > > > 
> > > > > Is that what you would expect to see?
> > > > 
> > > > yes, now the question is, is the path labeled the way it should be:
> > > > 
> > > > ls -alZ /usr/bin/fail2ban-server
> > > 
> > > # ls -alZ /usr/bin/fail2ban-server
> > > -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/fail2ban-server
> > > 
> > > Hmmmm...
> > > 
> > > # restorecon -v /usr/bin/fail2ban-server
> > > restorecon reset /usr/bin/fail2ban-server context unconfined_u:object_r:bin_t:s0->system_u:object_r:fail2ban_exec_t:s0
> > > 
> > > # ls -alZ /usr/bin/fail2ban-server
> > > -rwxr-xr-x. root root system_u:object_r:fail2ban_exec_t:s0 /usr/bin/fail2ban-server
> > > 
> > > Ahhh...
> > > 
> > > Is that more like it?
> > 
> > Yes that should get you atleast a little closer. I am wondering what else may be mislabeled on your system.
> > 
> > maybe a relabel/fixfiles restore is in order...
> 
> Yes. Good advice.
> 
> As it happens there was a new selinux policy available today (using yum
> update):
> # rpm -q selinux-policy selinux-policy-targeted
> selinux-policy-3.6.12-91.fc11.noarch
> selinux-policy-targeted-3.6.12-91.fc11.noarch
> 
> 
> I removed two of my local policies (log rotation and fail2ban) and put
> selinux into permissive mode.
> 
> Having updated I did a "touch /.autorelabel; reboot"
> 
> Following your 7 point plan I believe I am now at stage 6?
> {
> 1) I believe there is a type created for the process? (fail2ban_exec)
> 2) I believe there is a type for the executable file (fail2ban_exec)
> 3) declare the two types init_daemon_domain(). (Not sure about this)
> 4) The executable file is labelled with the type fail2ban_exec
> 5) I have started the service (in permissive mode).
> }
> 
> I got 5 AVCs. 2 on startup and 3 when fail2ban actually hit on a rule.
> (Copies of the AVCs below)
> 
> So - point 6: Using audit2allow I get this:
> 
> =================8<============================================
> 
> module myfail2ban 11.2.1;
> 
> require {
> 	type iptables_t;
> 	type system_mail_t;
> 	type fail2ban_t;
> 	class unix_stream_socket { read write };
> }
> 
> #============= iptables_t ==============
> allow iptables_t fail2ban_t:unix_stream_socket { read write };
> 
> #============= system_mail_t ==============
> allow system_mail_t fail2ban_t:unix_stream_socket { read write };
> 
> =================8<============================================
> 
> So what do you think?
> 
> Am I on the right track?

Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };", signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those avc denials and/or silence them:

echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
echo "optional_policy(\`" >> myfail2ban.te;
echo "gen_require(\`" >> myfail2ban.te;
echo "attribute domain;" >> myfail2ban.te;
echo "type fail2ban_t;" >> myfail2ban.te;
echo "\')" >> myfail2ban.te;
echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };" >> myfail2ban.te;
echo "\')" >> myfail2ban.te;

make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
sudo semodule -i myfail2ban.pp


> 
> Thanks again for all your help.
> 
> Mark
> 
> 
> AVCs (I think a couple may be duplicates - I'm running in permissive
> mode):
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1260298720.4:21): avc: denied { read write } for pid=1907 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1260298720.4:21): arch=40000003 syscall=11 success=yes exit=0 a0=8a1a250 a1=8a1a460 a2=8a19738 a3=8a1a460 items=0 ppid=1906 pid=1907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1260298720.169:22): avc: denied { read write } for pid=1921 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1260298720.169:22): arch=40000003 syscall=11 success=yes exit=0 a0=85867d0 a1=8587798 a2=8587670 a3=8587798 items=0 ppid=1919 pid=1921 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1260301404.622:121): avc: denied { read write } for pid=2799 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1260301404.622:121): arch=40000003 syscall=11 success=yes exit=0 a0=88b13e0 a1=88b1618 a2=88b06f8 a3=88b1618 items=0 ppid=2798 pid=2799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1260301405.169:122): avc: denied { read write } for pid=2804 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1260301405.169:122): arch=40000003 syscall=11 success=yes exit=0 a0=96e3418 a1=96e3718 a2=96e2700 a3=96e3718 items=0 ppid=1901 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 
> 
> Raw Audit Messages :
> 
> node=troodos.org.uk type=AVC msg=audit(1260301405.212:123): avc: denied { read write } for pid=2811 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
> node=troodos.org.uk type=SYSCALL msg=audit(1260301405.212:123): arch=40000003 syscall=11 success=yes exit=0 a0=a119518 a1=a119a48 a2=a119750 a3=a119a48 items=0 ppid=2807 pid=2811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) 
> 
> 



> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/c27b84af/attachment.sig>

More information about the fedora-selinux-list mailing list