Bug 669966
| Summary: | fail2ban can't work with tmp files | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Phil Anderson <pza> | ||||
| Component: | fail2ban | Assignee: | Axel Thimm <axel.thimm> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 14 | CC: | ADent123, axel.thimm, dwalsh, igeorgex, jonathan.underwood, marco.guazzone, mgrepl, rosset.filipe | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | fail2ban-0.8.4-27.fc14 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-04-18 04:03:03 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 669965 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
Yes, daemons should not used /tmp. /tmp is for users to store their stuff. But I am interested about AVC messages which you are seeing. Could you attach these AVC msgs. I would like to see "comm=" field. Thank you. Created attachment 473822 [details]
AVC messages caused by dshield action
As produced by the default /etc/fail2ban/action.d/dshield.conf contained in fail2ban-0.8.4-25.fc14.noarch.
Can you change dshield to use /var/run/fail2ban and make sure nothing in fail2ban uses /tmp. Phill, If you execute the following it should fix your problem. # sed -i 's|/tmp|/var/run/fail2ban|g' /etc/fail2ban/action.d/dshield.conf http://danwalsh.livejournal.com/11467.html Yes, I have been running it like that for a few days now without problems. But, in terms of updating the package, I suspect that /var/run isn't the place, rather /var/lib, as some of those files stay between restarts/reboots. But, that's for bug 66965 I guess. /var/lib/fail2ban is fine with me. fail2ban-0.8.4-27.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc14 fail2ban-0.8.4-27.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc13 fail2ban-0.8.4-27.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15 Package fail2ban-0.8.4-27.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing fail2ban-0.8.4-27.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15 then log in and leave karma (feedback). fail2ban-0.8.4-27.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. *** Bug 697224 has been marked as a duplicate of this bug. *** fail2ban-0.8.4-27.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. fail2ban-0.8.4-27.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report. I think the new fail2ban-0.8.4-27.fc14 version is broken, I can't start the ssh-jail with SELinux enabled. Check https://bugzilla.redhat.com/show_bug.cgi?id=697223 for more informations. I switched back to the version fail2ban-0.8.4-25.fc14, which still works. Under FC15, still have problems. I get the same error messages reported in: https://bugzilla.redhat.com/show_bug.cgi?id=697223 https://bugzilla.redhat.com/show_bug.cgi?id=697224 Thanks! |
Several fail2ban files require files in /tmp: dshield mail-buffered sendmail-buffered mynetwatchman SELinux currently blocks this. I used the following to resolve the problem: require { type tmp_t; type fail2ban_t; class dir { write remove_name add_name }; class file { write getattr read create unlink open append }; } Take note of bug 669965 which is about fail2ban using insecure tmp files. Probably best to wait for that to be resolved before changing the SELinux policy, in case they put temp files in a different location.