Bug 1133248

Summary: fail2ban needs to be able to read the journal
Product: Red Hat Enterprise Linux 7 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.0CC: jbnance, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-2.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:44:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1133251    
Bug Blocks: 1132514    

Description Orion Poplawski 2014-08-23 18:55:49 UTC 
Description of problem:

With fail2ban 0.9 it reads the journal by default, but cannot:

type=AVC msg=audit(1408819296.642:22362): avc:  denied  { read } for  pid=14066 comm="fail2ban-server" name="journal" dev="tmpfs" ino=6280 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir

Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-153.el7_0.10.noarch
Comment 2 Miroslav Grepl 2014-08-25 10:17:45 UTC 
commit 2b6acf049dfae68d9c40342ad0bc676a52f41ce9
Author: Miroslav Grepl <mgrepl>
Date:   Mon Aug 25 12:15:47 2014 +0200

    fail2ban 0.9 reads the journal by default.
Comment 4 Orion Poplawski 2014-11-06 16:33:53 UTC 
Any chance this could get pushed to http://people.redhat.com/dwalsh/SELinux/RHEL7 ?
Comment 5 Milos Malik 2014-11-06 20:23:18 UTC 
The AVC mentioned in comment#0 was caught in enforcing mode, right? What AVCs do you see in permissive mode?
Comment 6 Orion Poplawski 2014-11-06 20:30:19 UTC 
In permissive:

type=AVC msg=audit(1415305749.900:35204): avc:  denied  { read } for  pid=9420 comm="fail2ban-server" name="journal" dev="tmpfs" ino=6307 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1415305749.900:35205): avc:  denied  { read } for  pid=9420 comm="fail2ban-server" name="system.journal" dev="tmpfs" ino=8587718 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1415305749.900:35205): avc:  denied  { open } for  pid=9420 comm="fail2ban-server" path="/run/log/journal/9ed6ab66be5d88d1aae4c4e953abd471/system.journal" dev="tmpfs" ino=8587718 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
type=AVC msg=audit(1415305749.900:35206): avc:  denied  { getattr } for  pid=9420 comm="fail2ban-server" path="/run/log/journal/9ed6ab66be5d88d1aae4c4e953abd471/system.journal" dev="tmpfs" ino=8587718 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=file
Comment 7 Miroslav Grepl 2014-11-07 09:44:12 UTC 
#============= fail2ban_t ==============

#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:dir read;

#!!!! This avc is allowed in the current policy
allow fail2ban_t syslogd_var_run_t:file { read getattr open };


We have fixes in the latest builds.
Comment 9 Jason Bradley Nance 2014-11-25 02:15:18 UTC 
Note sure what the final changes are from this report but here are the additions I had to make to get fail2ban to be fully functional for the ssh jails on selinux-policy-targeted-3.12.1-153.el7_0.11.noarch:

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        class file { read execute open execute_no_trans };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute open execute_no_trans };

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class file { read open getattr };
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:file { read open getattr };
Comment 10 Orion Poplawski 2014-11-26 16:14:59 UTC 
No denials seen with 3.13.1-10.el7
Comment 12 errata-xmlrpc 2015-03-05 10:44:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html