| Summary: | selinux policy bans fail2ban access to shorewall | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Sebastian Pauka <s.pauka> | ||||
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.8 | CC: | dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, s.pauka, ssekidde | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | selinux-policy-3.7.19-297.el6 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2017-03-21 09:48:42 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
Attached a fix generated from audit2allow that removes all failures from audit.log relating to fail2ban. Created attachment 1216320 [details]
audit2allow generated policy
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2017-0627.html |
Description of problem: The default targeted selinux policy does not allow fail2ban to access shorewall. As a result hosts are not correctly banned by shorewall. Version-Release number of selected component (if applicable): selinux-policy-targeted: 3.7.19-292.el6 fail2ban: 0.9.4-2.el6 shorewall: 4.5.4-1.el6 How reproducible: Every Time Steps to Reproduce: 1. Install shorewall, fail2ban 2. Set fail2ban banaction to shorewall 3. Attempt to ban an ip (e.g. fail2ban-client set sshd banip 192.0.2.1) Actual results: Ban does not appear under shorewall and is not entered into iptables Sample from audit.log: type=AVC msg=audit(1477982468.364:50635): avc: denied { getattr } for pid=24925 comm="sh" path="/sbin/shorewall" dev=dm-0 ino=15335439 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:shorewall_exec_t:s0 tc lass=file type=SYSCALL msg=audit(1477982468.364:50635): arch=c000003e syscall=4 success=no exit=-13 a0=28928b0 a1=7fff33fe83e0 a2=7fff33fe83e0 a3=10 items=0 ppid=24911 pid=24925 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=29 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) Sample from /var/log/messages 22947 Nov 1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- stdout: '' 22948 Nov 1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- stderr: '/bin/sh: shorewall: command not found\n' 22949 Nov 1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- returned 127 22950 Nov 1 19:08:32 . fail2ban.actions[346]: ERROR Failed to execute ban jail 'sshd' action 'shorewall' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x29c1a28>, 'matches': "Nov 1 01:42:41 . sshd[1009]: User root from 221.194.47.229 not allowed because none of user's groups are listed in AllowGroups\nNov 1 01:42:42 qphys1114 sshd[1009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= 221.194.47.229 user=root\nNov 1 01:42:44 qphys1114 sshd[1009]: Failed password for invalid user root from 221.194.47.229 port 47277 ssh2\nNov 1 01:42:46 . sshd[1009]: Failed password for invalid user root from 221.1 94.47.229 port 47277 ssh2\nNov 1 01:42:48 . sshd[1009]: Failed password for invalid user root from 221.194.47.229 port 47277 ssh2\nNov 1 01:42:51 qphys1114 sshd[1019]: User root from 221.194.47.229 not allowed becaus e none of user's groups are listed in AllowGroups\nNov 1 01:42:51 qphys1114 sshd[1019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.47.229 user=root\nNov 1 01:42:53 qphys1 114 sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov 1 01:42:56 . sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov 1 01:42:58 qphys1 114 sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov 1 01:43:01 qphys1114 sshd[1029]: User root from 221.194.47.229 not allowed because none of user's groups are listed in AllowGroups \nNov 1 01:43:01 qphys1114 sshd[1029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.47.229 user=root\nNov 1 01:43:03 . sshd[1029]: Failed password for invalid user root from 221.194.47.229 port 58791 ssh2\nNov 1 01:43:06 . sshd[1029]: Failed password for invalid user root from 221.194.47.229 port 58791 ssh2\nNov 1 01:43:08 . sshd[1029]: Failed password for invalid user root from 221.194.47.229 port 58791.