Bug 990545

Summary: SELinux reveals leaked file descriptors
Product: [Fedora] Fedora EPEL Reporter: Milos Malik <mmalik>
Component: fail2banAssignee: Orion Poplawski <orion>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: el5CC: admiller, mmalik, orion
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: fail2ban-0.8.13-2.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-08-15 18:59:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Milos Malik 2013-07-31 12:38:45 UTC
Description of problem:
This is not a selinux-policy issue, however selinux-policy can sweep it under the rug.

Version-Release number of selected component (if applicable):
fail2ban-0.8.4-29.el5

How reproducible:
always

Steps to Reproduce:
# service fail2ban restart
# ausearch -m avc -m user_avc -m selinux_err -i -ts recent

Actual results:
----
type=SYSCALL msg=audit(07/31/2013 08:32:06.726:419) : arch=x86_64 syscall=execve success=yes exit=0 a0=1a368580 a1=1a368cc0 a2=1a367400 a3=8 items=0 ppid=13320 pid=13321 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=20 comm=iptables exe=/sbin/iptables subj=root:system_r:iptables_t:s0 key=(null) 
type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc:  denied  { read write } for  pid=13321 comm=iptables path=socket:[180185] dev=sockfs ino=180185 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket 
type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc:  denied  { read write } for  pid=13321 comm=iptables path=socket:[180180] dev=sockfs ino=180180 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_dgram_socket 
type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc:  denied  { read write } for  pid=13321 comm=iptables path=socket:[180377] dev=sockfs ino=180377 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket 
----

Expected results:
 * file descriptors are not leaked

Comment 1 Orion Poplawski 2014-07-21 23:15:06 UTC
Please test with https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6 and see if that helps.

Comment 2 Milos Malik 2014-07-22 14:41:13 UTC
The automated TC, which originally found the issue on RHEL-5, passed with fail2ban-0.8.13-1.el5 package. The same TC executed on RHEL-6.6 passed too when fail2ban-0.8.13-1.el6 package was installed, but selinux-policy for RHEL-6.6 contains dontaudit rules, which hide the leaked file descriptors.

Comment 3 Fedora Update System 2014-07-22 15:27:51 UTC
fail2ban-0.8.13-1.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el5

Comment 4 Fedora Update System 2014-07-22 18:10:04 UTC
Package fail2ban-0.8.13-1.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-1.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-1.el5
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2014-07-30 19:35:40 UTC
Package fail2ban-0.8.13-2.el5:
* should fix your issue,
* was pushed to the Fedora EPEL 5 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-2.el5'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-2.el5
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2014-08-15 18:59:59 UTC
fail2ban-0.8.13-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.