Bug 865567
Summary: | avc denials on fail2ban restart | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Orion Poplawski <orion> |
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 6.3 | CC: | dwalsh, mmalik, mtruneck |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.7.19-184.el6 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-21 08:31:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Orion Poplawski
2012-10-11 19:10:16 UTC
Looks like fail2ban is leaking a open file descriptor to inotify type=AVC msg=audit(1349981935.471:201175): avc: denied { read } for pid=8000 comm="sendmail" path="inotify" dev=inotifyfs ino=1 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir And to /var/log/messages, I guarantee iptables is not reading it. The other AVC's are allowed in Fedora. # rpm -qa | grep -e selinux-policy -e fail2ban | sort fail2ban-0.8.4-28.el6.noarch selinux-policy-3.7.19-169.el6.noarch selinux-policy-targeted-3.7.19-169.el6.noarch # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted # ---- type=SYSCALL msg=audit(10/12/2012 11:42:45.190:29) : arch=x86_64 syscall=execve success=no exit=-13(Permission denied) a0=1975890 a1=1974970 a2=1975c40 a3=7fff8d649330 items=0 ppid=2301 pid=2302 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(10/12/2012 11:42:45.190:29) : avc: denied { execute } for pid=2302 comm=sh name=ldconfig dev=sda3 ino=4849899 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(10/12/2012 11:42:45.190:30) : arch=x86_64 syscall=stat success=no exit=-13(Permission denied) a0=1975890 a1=7fff8d649510 a2=7fff8d649510 a3=7fff8d649330 items=0 ppid=2301 pid=2302 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sh exe=/bin/bash subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(10/12/2012 11:42:45.190:30) : avc: denied { getattr } for pid=2302 comm=sh path=/sbin/ldconfig dev=sda3 ino=4849899 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file ---- type=SYSCALL msg=audit(10/12/2012 11:42:45.288:32) : arch=x86_64 syscall=socket success=no exit=-13(Permission denied) a0=2 a1=3 a2=ff a3=7fff9a7f28a0 items=0 ppid=2306 pid=2307 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(10/12/2012 11:42:45.288:32) : avc: denied { create } for pid=2307 comm=iptables scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket ---- type=SYSCALL msg=audit(10/12/2012 11:42:45.288:33) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7f6de4342672 a1=0 a2=0 a3=7fff9a7f2920 items=0 ppid=2306 pid=2307 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=iptables exe=/sbin/iptables-multi-1.4.7 subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) type=AVC msg=audit(10/12/2012 11:42:45.288:33) : avc: denied { search } for pid=2307 comm=iptables scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir ---- type=SYSCALL msg=audit(10/12/2012 11:42:55.696:55) : arch=x86_64 syscall=execve success=yes exit=0 a0=eb7090 a1=eb7140 a2=eb6f20 a3=7fff8cd753f0 items=0 ppid=2373 pid=2376 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=sendmail exe=/usr/sbin/sendmail.postfix subj=unconfined_u:system_r:system_mail_t:s0 key=(null) type=AVC msg=audit(10/12/2012 11:42:55.696:55) : avc: denied { read } for pid=2376 comm=sendmail path=inotify dev=inotifyfs ino=1 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir ---- I added some fixes. Let's see if these some of these issues will be fixed. Looks fixed with selinux-policy-3.7.19-186.el6.noarch. Probably still need to cleanup the sendmail leak, but I don't think that is a policy issue. Thanks! Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0314.html |