Bug 492687

Summary:	SELinux is preventing fail2ban
Product:	[Fedora] Fedora	Reporter:	Eddie Lania <eddie>
Component:	fail2ban	Assignee:	Axel Thimm <Axel.Thimm>
Status:	CLOSED DUPLICATE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	low
Version:	10	CC:	dwalsh, igeorgex, mgrepl, sturnber
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2009-09-11 10:38:54 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Eddie Lania 2009-03-28 10:14:56 UTC

Description of problem: Mar 27 08:37:25 ls2ka setroubleshoot: SELinux is preventing fail2ban-server (fail2ban_t) "sys_tty_config" fail2ban_t. For complete SELinux messages. run sealert -l e6717705-78b2-4901-8686-d78eb1881e0b
Mar 27 08:37:26 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
Mar 28 04:49:52 ls2ka setroubleshoot: SELinux is preventing fail2ban-client (logrotate_t) "write" to fail2ban.sock (fail2ban_var_run_t). For complete SELinux messages. run sealert -l f4b549dc-29b7-4718-849c-4b3f044101d4
Mar 28 04:49:53 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
Mar 28 04:49:56 ls2ka setroubleshoot: SELinux is preventing fail2ban-client (logrotate_t) "write" to fail2ban.sock (fail2ban_var_run_t). For complete SELinux messages. run sealert -l f4b549dc-29b7-4718-849c-4b3f044101d4



Summary:

SELinux is preventing fail2ban-server (fail2ban_t) "sys_tty_config" fail2ban_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by fail2ban-server. It is not expected that this
access is required by fail2ban-server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:system_r:fail2ban_t:s0
Target Objects                None [ capability ]
Source                        fail2ban-server
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-49.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   1
First Seen                    Fri Mar 27 08:37:25 2009
Last Seen                     Fri Mar 27 08:37:25 2009
Local ID                      e6717705-78b2-4901-8686-d78eb1881e0b
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1238139445.397:28): avc:  denied  { sys_tty_config } for  pid=2805 comm="fail2ban-server" capability=26 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238139445.397:28): arch=40000003 syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff2c5f8 a3=bff2c638 items=0 ppid=2804 pid=2805 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)



Summary:

SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:system_r:fail2ban_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           sendmail-8.14.3-3.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-53.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   2
First Seen                    Fri Mar 27 08:37:25 2009
Last Seen                     Sat Mar 28 04:49:52 2009
Local ID                      8741e92a-0c30-44fe-a1b8-af7469cba176
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1238212192.868:2842): avc:  denied  { read write } for  pid=16660 comm="sendmail" path="socket:[10060]" dev=sockfs ino=10060 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=ls2ka.elton-intra.net type=AVC msg=audit(1238212192.868:2842): avc:  denied  { read write } for  pid=16660 comm="sendmail" path="socket:[319709]" dev=sockfs ino=319709 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0-s0:c0.c1023 tclass=unix_stream_socket

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238212192.868:2842): arch=40000003 syscall=11 success=yes exit=0 a0=86c9348 a1=86c9430 a2=86c8468 a3=0 items=0 ppid=16658 pid=16660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)

Summary:

SELinux is preventing fail2ban-client (logrotate_t) "write" to fail2ban.sock
(fail2ban_var_run_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by fail2ban-client. It is not expected that this
access is required by fail2ban-client and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

Sometimes labeling problems can cause SELinux denials. You could try to restore
the default system file context for fail2ban.sock,

restorecon -v 'fail2ban.sock'

If this does not work, there is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:logrotate_t:s0-s0:c0.c1023
Target Context                system_u:object_r:fail2ban_var_run_t:s0
Target Objects                fail2ban.sock [ sock_file ]
Source                        fail2ban-client
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          ls2ka.elton-intra.net
Source RPM Packages           python-2.5.2-1.fc10
Target RPM Packages           
Policy RPM                    selinux-policy-3.5.13-53.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall_file
Host Name                     ls2ka.elton-intra.net
Platform                      Linux ls2ka.elton-intra.net
                              2.6.27.19-170.2.35.fc10.i686 #1 SMP Mon Feb 23
                              13:21:22 EST 2009 i686 i686
Alert Count                   2
First Seen                    Sat Mar 28 04:49:51 2009
Last Seen                     Sat Mar 28 04:49:56 2009
Local ID                      f4b549dc-29b7-4718-849c-4b3f044101d4
Line Numbers                  

Raw Audit Messages            

node=ls2ka.elton-intra.net type=AVC msg=audit(1238212196.33:2843): avc:  denied  { write } for  pid=16656 comm="fail2ban-client" name="fail2ban.sock" dev=sda2 ino=1310776 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=sock_file

node=ls2ka.elton-intra.net type=SYSCALL msg=audit(1238212196.33:2843): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfcc0150 a2=4fb118 a3=b7fcb318 items=0 ppid=16655 pid=16656 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=32 comm="fail2ban-client" exe="/usr/bin/python" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)

Comment 1 Miroslav Grepl 2009-03-30 11:47:05 UTC

Dan, 

I suggest to add this interface:

#######################################
## <summary>
##      Connect to fail2ban over a unix domain
##      stream socket.
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`fail2ban_stream_connect',`
        gen_require(`
                type fail2ban_var_run_t, fail2ban_t;
        ')

        allow $1 fail2ban_t:unix_stream_socket connectto;
        allow $1 fail2ban_var_run_t:sock_file { getattr write };
        files_search_pids($1)
')

and add to logrotate.te

optional_policy(`
        fail2ban_stream_connect(logrotate_t)
')

Comment 2 Daniel Walsh 2009-03-30 13:58:40 UTC

Well the real problem here is fail2ban leaking file descriptors.  Other then the sys_tty_config

This is entirely a fail2ban bug.

fail2ban is leaking file descriptors to fail2ban-client and should close them on
exec

fcntl(fd, F_SETFD, FD_CLOEXEC)

Comment 3 Eddie Lania 2009-04-08 07:58:09 UTC


In /etc/fail2ban/jail.conf

[vsftpd-tcpwrapper]

enabled  = true
filter   = vsftpd
action   = hostsdeny[file=/etc/hosts.ftpdeny]
           sendmail-whois[name=VSFTPD, dest=root@localhost]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800




In /etc/fail2ban/action.d/hostsdeny.conf

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
#actionban = IP=<ip> &&
#            printf %%b "ALL: $IP\n" >> <file>
actionban = IP=<ip> &&
            printf %%b "$IP\n" >> <file>

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    <ip>  IP address
#          <failures>  number of failures
#          <time>  unix timestamp of the ban time
# Values:  CMD
#
#actionunban = IP=<ip> && sed -i.old /ALL:\ $IP/d <file>
actionunban = IP=<ip> && sed -i.old /$IP/d <file>




In /etc/hosts/deny

# block possibly spoofed requests to VSFTPD
vsftpd: PARANOID : deny
vsftpd: /etc/hosts.ftpdeny


In /var/log/messages I get:

Apr  7 10:03:56 ls2ka setroubleshoot: SELinux is preventing sh (fail2ban_t) "append" to ./hosts.ftpdeny (etc_t). For complete SELinux messages. run sealert -l dc6dcdf1-5152-4460-897c-734e4f606318
Apr  7 10:03:57 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
Apr  7 10:33:57 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "write" to ./etc (etc_t). For complete SELinux messages. run sealert -l 1b43d4cc-e077-4dad-8b86-f2b982957140
Apr  7 10:33:57 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "setattr" to ./sedDetYP8 (etc_t). For complete SELinux messages. run sealert -l a5e87e02-d89b-4175-88e7-5f742d2f376b
Apr  7 10:33:58 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "remove_name" to ./hosts.ftpdeny (etc_t). For complete SELinux messages. run sealert -l a9d671a7-a19c-4a4c-b8d5-074b32821a05
Apr  7 23:03:23 ls2ka setroubleshoot: SELinux is preventing sh (fail2ban_t) "append" to ./hosts.ftpdeny (etc_t). For complete SELinux messages. run sealert -l dc6dcdf1-5152-4460-897c-734e4f606318
Apr  7 23:03:23 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
Apr  7 23:33:24 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "write" to ./etc (etc_t). For complete SELinux messages. run sealert -l 1b43d4cc-e077-4dad-8b86-f2b982957140
Apr  7 23:33:24 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "setattr" to ./sedpZONo4 (etc_t). For complete SELinux messages. run sealert -l abcdb214-71c5-465e-98eb-7c9ae01ab7be
Apr  7 23:33:24 ls2ka setroubleshoot: SELinux is preventing sed (fail2ban_t) "remove_name" to ./hosts.ftpdeny (etc_t). For complete SELinux messages. run sealert -l a9d671a7-a19c-4a4c-b8d5-074b32821a05

Comment 4 Daniel Walsh 2009-04-08 12:22:13 UTC

Well you could add rules to allow this but it would also allow fail2ban to take over the machine, since it would rwrite /etc/passwd.

A better solution would be to put your deny files in /etc/fail2ban or /var/lib/fail2ban and then setup tcpwrappers to read from output from theose directories.

We could easily add a context to allow fail2ban to write.

Comment 5 Eddie Lania 2009-04-12 13:12:48 UTC

Adapted jail.conf:

[sendmail-tcpwrapper]

enabled  = true
filter   = sendmail
action   = hostsdeny[file=/var/lib/fail2ban/hosts.sendmail.deny]
           sendmail[name=Sendmail, dest=e.lania]
logpath  = /var/log/maillog
bantime  = 300


[vsftpd-tcpwrapper]

enabled  = true
filter   = vsftpd
action   = hostsdeny[file=/var/lib/fail2ban/hosts.vsftpd.deny]
           sendmail-whois[name=VSFTPD, dest=e.lania]
logpath  = /var/log/secure
maxretry = 5
bantime  = 1800

And /etc/hosts.deny:

sendmail: /var/lib/fail2ban/hosts.sendmail.deny
# block possibly spoofed requests to VSFTPD
vsftpd: PARANOID : deny
vsftpd: /var/lib/fail2ban/hosts.vsftpd.deny


I think this means, according to my logs below, that adaptations will have to be made to selinux-policy for both sendmail and fail2ban:


Apr 12 14:57:51 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 12 14:57:51 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 12 15:02:06 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 12 15:02:06 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e

Apr 12 15:09:04 ls2ka setroubleshoot: SELinux is preventing sh (fail2ban_t) "append" to ./hosts.vsftpd.deny (var_lib_t). For complete SELinux messages. run sealert -l a5842b6a-e02e-494e-9589-ab1bced960b4
Apr 12 15:09:04 ls2ka setroubleshoot: SELinux is preventing sh (fail2ban_t) "getattr" to /var/lib/fail2ban/hosts.vsftpd.deny (var_lib_t). For complete SELinux messages. run sealert -l cb141723-037a-4ddb-9c05-909383833b1c
Apr 12 15:09:05 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 4f17ec12-9251-41c7-9016-9afaf69ce49a


Is this correct?

Comment 6 Daniel Walsh 2009-04-13 12:11:47 UTC

Miroslav could you add

type fail2ban_var_lib_t;
files_type(fail2ban_var_lib_t)

manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })

to fail2ban.te

########################################
## <summary>
##	Read fail2ban lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`fail2ban_read_lib_files',`
	gen_require(`
		type fail2ban_var_lib_t;
	')

	files_search_pids($1)
	allow $1 fail2ban_var_lib_t:file read_file_perms;
')

to fail2ban.if

/var/lib/fail2ban(/.*)?		gen_context(system_u:object_r:fail2ban_var_lib_t,s0)

to fail2ban.fc

optional_policy(`
	fail2ban_read_lib_files(sendmail_t)
')

to sendmail.te

optional_policy(`
	fail2ban_read_lib_files(daemon)
')

To init.te

Comment 7 Miroslav Grepl 2009-04-14 16:55:11 UTC

Added to selinux-policy-3.5.13-56.fc10

Comment 8 Eddie Lania 2009-04-24 06:29:22 UTC

Not working:

[root@ls2ka ~]# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.5.13-57.fc10.noarch


[root@ls2ka ~]# grep SELinux /var/log/messages | grep sendmail
Apr 23 13:50:23 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
Apr 23 13:50:24 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 13:50:24 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 13:51:15 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 13:51:15 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 13:55:56 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 13:55:56 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 13:57:20 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 13:57:20 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 14:05:17 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 14:05:18 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 14:10:07 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 14:10:08 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 14:36:21 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 14:36:21 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 14:40:22 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "read" to ./hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l 134d5cc3-ca1a-4233-99ac-c05b51bcc4fc
Apr 23 14:40:22 ls2ka setroubleshoot: SELinux is preventing sendmail (sendmail_t) "getattr" to /var/lib/fail2ban/hosts.sendmail.deny (var_lib_t). For complete SELinux messages. run sealert -l df261f12-5e4e-4d02-95a6-207fd828f92e
Apr 23 19:27:51 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176

Comment 9 Miroslav Grepl 2009-04-24 07:55:26 UTC

Please try to reinstall selinux-policy

# yum reinstall selinux-policy-targeted --enablerepo=updates-testing

Comment 10 Daniel Walsh 2009-04-24 10:40:56 UTC

/var/lib/fail2ban is mislabeled.

restorecon -R -v /var/lib/fail2ban

Comment 11 Eddie Lania 2009-05-12 13:46:39 UTC

NOT SOLVED

 grep SELinux /var/log/messages |grep fail2ban
May 12 01:19:22 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
May 12 15:44:24 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176

Comment 12 Daniel Walsh 2009-05-12 13:49:46 UTC

This is a leaked file descriptor from fail2ban.  Please make sure you have the latest fail2ban software.

Comment 13 Eddie Lania 2009-05-27 06:25:10 UTC

I use the latest versions:

rpm -q selinux-policy-targeted
selinux-policy-targeted-3.5.13-59.fc10.noarch

rpm -q fail2ban
fail2ban-0.8.3-18.fc10.noarch

May 24 05:56:15 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 25 08:34:55 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 25 18:55:25 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 26 08:08:43 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 26 13:25:36 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 26 14:31:26 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 87146a78-be46-48ed-8b6f-21e72d8a3469
May 26 14:33:41 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176
May 27 07:55:50 ls2ka setroubleshoot: SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t. For complete SELinux messages. run sealert -l 8741e92a-0c30-44fe-a1b8-af7469cba176


Should I open a nwe bug for it for fail2ban?

Regards,

Eddie.

Comment 14 Eddie Lania 2009-08-22 10:37:23 UTC

I migrated this server to fedora 11 and here the problem is present also.

fail2ban-0.8.3-19.fc11.noarch

I will open a bug for it for fail2ban.

Comment 15 Eddie Lania 2009-08-24 20:33:54 UTC

See bug 518752

(In reply to comment #14)
> I migrated this server to fedora 11 and here the problem is present also.
> 
> fail2ban-0.8.3-19.fc11.noarch
> 
> I will open a bug for it for fail2ban.

Comment 16 Axel Thimm 2009-09-11 10:38:54 UTC


*** This bug has been marked as a duplicate of bug 518752 ***