Bug 1513100

Summary: SELInux prevents fail2ban from setting resource limits
Product: Red Hat Enterprise Linux 7 Reporter: Orion Poplawski <orion>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.4CC: lvrabec, mgrepl, mmalik, orion, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:01:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
ausearch output none

Description Orion Poplawski 2017-11-14 18:26:56 UTC 
Description of problem:

With SELinux enforcing, fail2ban is limited to 1024 open files.  In permissive it is set to whatever LimitNOFILE is set to.

I don't see any AVCs though, perhaps they are not audited.

Version-Release number of selected component (if applicable):
selinux-policy-3.13.1-166.el7_4.5.noarch
Comment 2 Orion Poplawski 2017-11-14 18:27:36 UTC 
system_u:system_r:fail2ban_t:s0 root      3156     1  0 10:18 ?        00:00:02 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b
Comment 3 Milos Malik 2017-11-15 11:04:36 UTC 
Please attach the list of SELinux denials that appear in your scenario. My guess is that the list will contain an { setrlimit } AVC.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today
Comment 4 Orion Poplawski 2017-11-15 16:12:51 UTC 
Created attachment 1352713 [details]
ausearch output

This seems really odd to me.  Here are messages with dontaudit disabled.  But I'm not seeing anything obvious.  But I definitely have to be in permissive mode for the file limit to be increased.
Comment 5 Orion Poplawski 2017-11-15 16:15:57 UTC 
Although it is probably the rlimitinh denial that does it - since presumably systemd sets the file limit before execing the daemon process.
Comment 6 Orion Poplawski 2017-11-15 16:17:23 UTC 
Specifically:

type=AVC msg=audit(1510761934.613:358117): avc:  denied  { rlimitinh } for  pid=15602 comm="fail2ban-server" scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=process

since the server is started via fail2ban-client:

# grep Exec /usr/lib/systemd/system/fail2ban.service
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload
Comment 7 Orion Poplawski 2017-12-06 17:47:10 UTC 
This seems to do the trick:

module fail2ban-rlimit 1.0;

require {
        type fail2ban_client_t;
        type fail2ban_t;
        class process { rlimitinh };
}

allow fail2ban_client_t fail2ban_t:process { rlimitinh };
Comment 11 errata-xmlrpc 2018-10-30 10:01:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111