Bug 990545
| Summary: | SELinux reveals leaked file descriptors | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Milos Malik <mmalik> |
| Component: | fail2ban | Assignee: | Orion Poplawski <orion> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | el5 | CC: | admiller, mmalik, orion |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | fail2ban-0.8.13-2.el5 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-15 18:59:59 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Please test with https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6 and see if that helps. The automated TC, which originally found the issue on RHEL-5, passed with fail2ban-0.8.13-1.el5 package. The same TC executed on RHEL-6.6 passed too when fail2ban-0.8.13-1.el6 package was installed, but selinux-policy for RHEL-6.6 contains dontaudit rules, which hide the leaked file descriptors. fail2ban-0.8.13-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el5 Package fail2ban-0.8.13-1.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-1.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-1.el5 then log in and leave karma (feedback). Package fail2ban-0.8.13-2.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-2.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-2.el5 then log in and leave karma (feedback). fail2ban-0.8.13-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: This is not a selinux-policy issue, however selinux-policy can sweep it under the rug. Version-Release number of selected component (if applicable): fail2ban-0.8.4-29.el5 How reproducible: always Steps to Reproduce: # service fail2ban restart # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Actual results: ---- type=SYSCALL msg=audit(07/31/2013 08:32:06.726:419) : arch=x86_64 syscall=execve success=yes exit=0 a0=1a368580 a1=1a368cc0 a2=1a367400 a3=8 items=0 ppid=13320 pid=13321 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=20 comm=iptables exe=/sbin/iptables subj=root:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180185] dev=sockfs ino=180185 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180180] dev=sockfs ino=180180 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180377] dev=sockfs ino=180377 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket ---- Expected results: * file descriptors are not leaked