Bug 751556

Summary: SELinux is preventing /usr/sbin/vsftpd from search access on the directory /var/lib/fail2ban.
Product: [Fedora] Fedora Reporter: Eddie Lania <eddie>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 14CC: dwalsh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-07 13:24:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eddie Lania 2011-11-05 13:10:09 UTC 
Description of problem: SELinux is preventing /usr/sbin/vsftpd from search access on the directory /var/lib/fail2ban.

I think it wants to read /var/lib/fail2ban because i have configured in fail2ban to use the tcpwrapper for vsftpd and to write banned IP's to /var/lib/fail2ban/hosts.vsftpd.deny (this is recommended by fail2ban instead of writing directly to /etc/hosts.deny).


sealert -l 6de39053-5f9a-4fdd-8a32-ebc7e19413db
SELinux is preventing /usr/sbin/vsftpd from search access on the directory /var/lib/fail2ban.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC.
Then you must tell SELinux about this by enabling the 'allow_ftpd_full_access' boolean.
Do
setsebool -P allow_ftpd_full_access 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that vsftpd should be allowed search access on the fail2ban directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep vsftpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.9.7-46.fc14.noarch


How reproducible: All the time


Steps to Reproduce:
1. Configure jail vsftpd in fail2ban to ban IP's to /var/lib/fail2ban/hosts.vsftpd.deny

2. Add line to /etc/hosts.deny to read /var/lib/fail2ban/hosts.vsftpd.deny

3. Restart stuff and try to ftp break in and observe messages log.
  
Actual results: vsftpd is not allowed to read /var/lib/fail2ban


Expected results: No such error


Additional info:
Comment 1 Daniel Walsh 2011-11-07 21:39:07 UTC 
This looks like it is fixed in F15 and beyond.
Comment 2 Eddie Lania 2012-01-06 17:25:34 UTC 
I am on FC16 now and testing this. I will let you know the outcome.
Comment 3 Eddie Lania 2012-01-07 13:23:57 UTC 
Hi Daniel,

It indeed seems to be solved now, thank you.

Regards,

Eddie.