Bug 522898
| Summary: | selinux preventing fail2ban startup | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | James Twyford <jtwyford+rhbz> | ||||
| Component: | fail2ban | Assignee: | Axel Thimm <axel.thimm> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 11 | CC: | axel.thimm | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-09-15 14:37:36 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
(In reply to comment #0) > Created an attachment (id=360750) [details] > Setroubleshootd message > > Description of problem: > Starting fail2ban from the init script procs the following avc: > node=narue type=AVC msg=audit(1252721615.541:505): avc: denied { create } for > pid=28955 comm="fail2ban-server" scontext=unconfined_u:system_r:fail2ban_t:s0 > tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket > node=narue type=SYSCALL msg=audit(1252721615.541:505): arch=c000003e syscall=41 > success=no exit=-13 a0=1 a1=2 a2=0 a3=7fffe76d3368 items=0 ppid=1 pid=28955 > auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > ses=1 comm="fail2ban-server" exe="/usr/bin/python" > subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) > > Version-Release number of selected component (if applicable): > fail2ban-0.8.4-23.fc11.noarch > selinux-policy-3.6.12-82.fc11.noarch > selinux-policy-targeted-3.6.12-82.fc11.noarch > > How reproducible: > Every time > > Steps to Reproduce: > 1. /sbin/service fail2ban start > > Actual results: > fail2ban-server creates (or tries to) /var/run/fail2ban/fail2ban.sock then > fails horribly > > Expected results: > fail2ban-server creates /var/run/fail2ban/fail2ban.sock then starts banning > people > > Additional info: > Attached is the full setroubleshootd output. > > If I start the server with `fail2ban-client start`, it works fine. I get errors > further down the chain, but that's not part of this bug report. > > `grep fail2ban /var/log/audit/audit.log|audit2allow -M fail2ban` creates the > following .te: > module fail2ban 1.0; > > require { > type fail2ban_t; > class unix_dgram_socket create; > } > > #============= fail2ban_t ============== > allow fail2ban_t self:unix_dgram_socket create; > > However, `semodule -i fail2ban.pp` fails with: > libsepol.print_missing_requirements: fail2ban's global requirements were not > met: type/attribute fail2ban_t > libsemanage.semanage_link_sandbox: Link packages failed > semodule: Failed! *** This bug has been marked as a duplicate of bug 522767 *** |
Created attachment 360750 [details] Setroubleshootd message Description of problem: Starting fail2ban from the init script procs the following avc: node=narue type=AVC msg=audit(1252721615.541:505): avc: denied { create } for pid=28955 comm="fail2ban-server" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket node=narue type=SYSCALL msg=audit(1252721615.541:505): arch=c000003e syscall=41 success=no exit=-13 a0=1 a1=2 a2=0 a3=7fffe76d3368 items=0 ppid=1 pid=28955 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="fail2ban-server" exe="/usr/bin/python" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) Version-Release number of selected component (if applicable): fail2ban-0.8.4-23.fc11.noarch selinux-policy-3.6.12-82.fc11.noarch selinux-policy-targeted-3.6.12-82.fc11.noarch How reproducible: Every time Steps to Reproduce: 1. /sbin/service fail2ban start Actual results: fail2ban-server creates (or tries to) /var/run/fail2ban/fail2ban.sock then fails horribly Expected results: fail2ban-server creates /var/run/fail2ban/fail2ban.sock then starts banning people Additional info: Attached is the full setroubleshootd output. If I start the server with `fail2ban-client start`, it works fine. I get errors further down the chain, but that's not part of this bug report. `grep fail2ban /var/log/audit/audit.log|audit2allow -M fail2ban` creates the following .te: module fail2ban 1.0; require { type fail2ban_t; class unix_dgram_socket create; } #============= fail2ban_t ============== allow fail2ban_t self:unix_dgram_socket create; However, `semodule -i fail2ban.pp` fails with: libsepol.print_missing_requirements: fail2ban's global requirements were not met: type/attribute fail2ban_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!