Bug 1689034

Summary: Allow fail2ban to call journalctl
Product: [Fedora] Fedora Reporter: Jason Tibbitts <j>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: 29CC: dwalsh, lvrabec, mgrepl, plautrba, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.2-53.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-04-08 01:53:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jason Tibbitts 2019-03-15 01:39:50 UTC 
fail2ban is a program which watches logs and modifies firewall rules when it finds things like multiple ssh login failures from an address.  When it does this, it can send an email to the system administrator.  It is common for these emails to include relevant log entries, which it extracts by shelling out:

When you have a syslog daemon running, it can just grep /var/log/messages, which works fine.  But if you want it to extract those messages from the journal, it needs to call journalctl.  This is not the default in Fedora, though it would be nice if it could be.

The problem is that fail2ban_t can't call journalctl:

time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.605:2851776): avc:  denied  { getattr } for  pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.605:2851777): avc:  denied  { execute } for  pid=23673 comm="sh" name="journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.606:2851778): avc:  denied  { read } for  pid=23673 comm="sh" name="journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.606:2851779): avc:  denied  { open } for  pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.606:2851780): avc:  denied  { execute_no_trans } for  pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.606:2851781): avc:  denied  { map } for  pid=23673 comm="journalctl" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.627:2851782): avc:  denied  { sys_resource } for  pid=23673 comm="journalctl" capability=24  scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=1
----
time->Thu Mar 14 19:02:19 2019
type=AVC msg=audit(1552608139.627:2851783): avc:  denied  { setrlimit } for  pid=23673 comm="journalctl" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=process permissive=1
Comment 1 Zdenek Pytela 2019-03-15 12:54:41 UTC 
PR created:
https://github.com/fedora-selinux/selinux-policy-contrib/pull/91
Comment 2 Lukas Vrabec 2019-03-20 20:13:48 UTC 
commit ccc5bcdeddfaf3b486b22ee1b20441b66840aec6 (HEAD -> rawhide, origin/rawhide, origin/HEAD)
Author: Zdenek Pytela <zpytela>
Date:   Fri Mar 15 09:49:14 2019 +0100

    Allow fail2ban execute journalctl BZ(1689034)
    
    Allow fail2ban_t execute journalctl_exec_t.
    Allow fail2ban_t setrlimit and sys_resource.
Comment 3 Fedora Update System 2019-04-05 17:28:04 UTC 
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
Comment 4 Fedora Update System 2019-04-06 20:51:20 UTC 
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
Comment 5 Fedora Update System 2019-04-08 01:53:07 UTC 
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.