Bug 491444

Summary: SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.
Product: [Fedora] Fedora Reporter: Ignacio Vazquez-Abrams <ivazqueznet>
Component: fail2banAssignee: Axel Thimm <axel.thimm>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 9CC: dwalsh, jkubin, jonathan.underwood, mgrepl, mickeyboa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-23 22:39:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ignacio Vazquez-Abrams 2009-03-21 01:26:11 UTC 
Summary:

SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:iptables_t
Target Context                system_u:system_r:fail2ban_t
Target Objects                socket [ unix_stream_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          ignacio.ignacio.lan
Source RPM Packages           iptables-1.4.1.1-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-124.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     ignacio.ignacio.lan
Platform                      Linux ignacio.ignacio.lan
                              2.6.27.19-78.2.30.fc9.i686 #1 SMP Tue Feb 24
                              20:09:23 EST 2009 i686 athlon
Alert Count                   84
First Seen                    Fri 06 Mar 2009 10:30:20 PM EST
Last Seen                     Fri 20 Mar 2009 09:22:07 PM EDT
Local ID                      81a55c87-82a7-4511-93b3-4c5eb0d4fcf6
Line Numbers                  

Raw Audit Messages            

node=ignacio.ignacio.lan type=AVC msg=audit(1237598527.54:3206): avc:  denied  { read write } for  pid=1310 comm="iptables" path="socket:[12191]" dev=sockfs ino=12191 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=ignacio.ignacio.lan type=AVC msg=audit(1237598527.54:3206): avc:  denied  { read write } for  pid=1310 comm="iptables" path="socket:[12248]" dev=sockfs ino=12248 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=ignacio.ignacio.lan type=SYSCALL msg=audit(1237598527.54:3206): arch=40000003 syscall=11 success=yes exit=0 a0=94c47b8 a1=94c4ab8 a2=94c3b10 a3=0 items=0 ppid=2779 pid=1310 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Comment 1 Daniel Walsh 2009-03-23 17:29:51 UTC 
fail2ban is leaking file descriptors.  Has been fixed in F10 and Rawhide I believe,  I guess fix needs to be backported.
Comment 2 Axel Thimm 2009-03-29 17:10:48 UTC 
(In reply to comment #1)
> fail2ban is leaking file descriptors.  Has been fixed in F10 and Rawhide I
> believe,  I guess fix needs to be backported.  

F9 and F10/rawhide are in sync - last common build was 6 weeks ago. The leaking descriptor bug was supposedly fixed a year ago:

* Thu Mar 27 2008 Axel Thimm <Axel.Thimm> - 0.8.2-14
- Close on exec fixes by Jonathan Underwood.

So this looks like something new/different.
Comment 3 jim tate 2009-05-23 16:02:07 UTC 
There has to be other problems, I'm getting the same Selinux Error message.
My bug # 499674.
Comment 4 Jonathan Underwood 2009-05-23 22:37:28 UTC 
This is basically a design problem with fail2ban. Gamin isn't actually meant to be used in this way. I reported this upstream some time ago:

http://sourceforge.net/tracker/?func=detail&aid=1971871&group_id=121032&atid=689044
Comment 5 Jonathan Underwood 2009-05-23 22:39:02 UTC 

*** This bug has been marked as a duplicate of bug 483510 ***