| Summary: | RFE: let fail2ban use tcp wrappers (hosts.deny) | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Cristian Ciupitu <cristian.ciupitu> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | low | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.1 | CC: | dwalsh, mmalik, syeghiay |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-12-09 10:01:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
Description of problem: fail2ban can ban hosts using various methods, including tcp wrappers, i.e. by editing /etc/hosts.deny. Unfortunately the current SELinux policy does not allow fail2ban to use this mechanism, even if it's included in the default fail2ban install (though it's not enabled by default). Version-Release number of selected component (if applicable): selinux-policy-3.7.19-123.el6.noarch selinux-policy-targeted-3.7.19-123.el6.noarch fail2ban-0.8.4-24.el6.noarch How reproducible: Every time Steps to Reproduce: 1. Make sure you enable ssh-tcpwrappe in /etc/fail2ban/jail.conf [ssh-tcpwrapper] enabled = true filter = sshd action = hostsdeny sendmail-whois[name=SSH, dest=you] ignoreregex = for myuser from logpath = /var/log/secure 2. Start fail2ban 3. Trigger ban and unban actions Actual results: SELinux denials, e.g.: type=SYSCALL msg=audit(1321030287.006:4922): arch=40000003 syscall=5 success=no exit=-13 a0=98cc018 a1=8401 a2=0 a3=3 items=0 ppid=10813 pid=10972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(1321030287.006:4922): avc: denied { append } for pid=10972 comm="sh" name="hosts.deny" dev=vda2 ino=7054 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file type=SYSCALL msg=audit(1321031493.535:5121): arch=40000003 syscall=5 success=no exit=-13 a0=9a928e8 a1=80c2 a2=180 a3=f7801 items=0 ppid=12742 pid=12743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sed" exe="/bin/sed" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(1321031493.535:5121): avc: denied { write } for pid=12743 comm="sed" name="etc" dev=vda2 ino=8003 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir Expected results: No SELinux denials. Additional info: Dan Walsh suggested me to use the following policy, which worked fine for me: policy_module(myfail2ban, 1.1) gen_require(` type fail2ban_t; ') sysnet_manage_config(fail2ban_t) sysnet_etc_filetrans_config(fail2ban_t)