Bug 916816
| Summary: | fail2ban is unable to run iptables with latest update | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Phil Anderson <pza> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 6.4 | CC: | dwalsh, mmalik | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2013-03-01 13:07:15 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Actually, that is only some of it. The full policy I had to put in place to get the fail2ban iptables action to work cleanly is:
require {
type insmod_exec_t;
type sysctl_modprobe_t;
type fail2ban_t;
type modules_conf_t;
type modules_object_t;
class capability { net_admin net_raw };
class dir { read search open };
class file { read execute open execute_no_trans };
class rawip_socket { getopt create setopt };
}
#============= fail2ban_t ==============
allow fail2ban_t insmod_exec_t:file { read execute open execute_no_trans };
allow fail2ban_t modules_conf_t:dir { read search open };
allow fail2ban_t modules_conf_t:file read;
allow fail2ban_t modules_object_t:dir search;
allow fail2ban_t self:capability { net_admin net_raw };
allow fail2ban_t self:rawip_socket { getopt create setopt };
allow fail2ban_t sysctl_modprobe_t:file read;
Created attachment 704049 [details]
AVCs generated by fail2ban iptables action
It looks like fail2ban_t process did not transition to iptables_t domain. Could you check if BZ#916727 affects you too? Milos, yes, you are right. *** This bug has been marked as a duplicate of bug 916727 *** |
Description of problem: After upgrading to RHEL 6.4, fail2ban is unable to run iptables: fail2ban.actions.action: ERROR iptables -N fail2ban-SSH#012iptables -A fail2ban-SSH -j RETURN#012iptables -I INPUT -p tcp --dport ssh -j fail2ban-SSH returned 300 type=1400 audit(1362102917.292:143040): avc: denied { create } for pid=25079 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=rawip_socket type=1400 audit(1362102917.292:143041): avc: denied { read } for pid=25079 comm="iptables" scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_modprobe_t:s0 tclass=file Version-Release number of selected component (if applicable): selinux-policy-targeted-3.7.19-195.el6_4.1.noarch