| Summary: | SELinux is preventing iptables (iptables_t) "read write" fail2ban_t. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | dfeng |
| Component: | fail2ban | Assignee: | Axel Thimm <axel.thimm> |
| Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 10 | CC: | axel.thimm, jonathan.underwood |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-03-25 12:21:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Fedora 10 is no longer a supported release - your best option is to update to a supported release (F14 preferably). |
Description of problem: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Version-Release number of selected component (if applicable): selinux-policy-3.5.13-74.fc10 Installed Packages Name : fail2ban Arch : noarch Version : 0.8.4 Release : 23.fc10 How reproducible: Steps to Reproduce: 1. To install fail2ban 2. To configure fail2ban 3. service fail2ban start Actual results: node=sip1.call711.com type=AVC msg=audit(1301049261.254:4899): avc: denied { read write } for pid=388 comm="iptables" path="socket:[843609]" dev=sockfs ino=843609 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=sip1.call711.com type=AVC msg=audit(1301049261.254:4899): avc: denied { read write } for pid=388 comm="iptables" path="socket:[845646]" dev=sockfs ino=845646 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=sip1.call711.com type=AVC msg=audit(1301049261.254:4899): avc: denied { read write } for pid=388 comm="iptables" path="socket:[843627]" dev=sockfs ino=843627 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=sip1.call711.com type=SYSCALL msg=audit(1301049261.254:4899): arch=c000003e syscall=59 success=yes exit=0 a0=1376c60 a1=1375490 a2=1376af0 a3=316576da70 items=0 ppid=32762 pid=388 auid=504 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=476 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null) Expected results: allowed access Additional info: The error could be resolved by build new module from the log with semodule.