Bug 1114821

Summary: fail2ban selinux denial
Product: Red Hat Enterprise Linux 7 Reporter: Florian La Roche <florian.laroche>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jbnance, matic, mmalik, orion
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:41:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian La Roche 2014-07-01 05:52:34 UTC 
Description of problem:

Happening with RHEL7-RC and pretty new fail2ban-0.9-5.fc21.noarch:


Email coming in "Anacron job cron.daily":
/etc/cron.daily/logrotate:
logrotate_script: line 1: /usr/bin/fail2ban-client: Permission denied


auditd.log:

type=AVC msg=audit(1404180396.994:11092): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11092): arch=c000003e syscall=59 success=no exit=-13 a0=2528410 a1=25274b0 a2=2527040 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(
none) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11093): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11093): arch=c000003e syscall=21 success=no exit=-13 a0=2528410 a1=1 a2=7fff2607f640 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11094): avc:  denied  { read } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_exec_t:s0 tclass=file




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2014-07-01 08:51:44 UTC 
You can add a local policy for now. We allow it in Fedora/RHEL7.1

#grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
#semodule -i mypol.pp
Comment 7 Jason Bradley Nance 2014-11-25 02:15:07 UTC 
Note sure what the final changes are from this report but here are the additions I had to make to get fail2ban to be fully functional for the ssh jails on selinux-policy-targeted-3.12.1-153.el7_0.11.noarch:

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        class file { read execute open execute_no_trans };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute open execute_no_trans };

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class file { read open getattr };
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:file { read open getattr };
Comment 8 Milos Malik 2014-11-25 08:11:42 UTC 
All rules mentioned in comment#7 are present in selinux-policy >= 3.13.1-9.el7.
Comment 9 Matrix 2014-11-26 08:27:59 UTC 
On what date will selinux-policy-3.13.1-9.el7 be available as an update?
Comment 10 Milos Malik 2014-11-26 08:34:28 UTC 
The public beta or general availability dates for RHEL-7.1 are not yet sure, but you can download the policy from here:

 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/
Comment 12 errata-xmlrpc 2015-03-05 10:41:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html