RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1114821 - fail2ban selinux denial
Summary: fail2ban selinux denial
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-01 05:52 UTC by Florian La Roche
Modified: 2015-03-05 10:41 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.13.1-1.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:41:40 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1132514 0 unspecified CLOSED SELinux policy denies reading from journal 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1133248 0 unspecified CLOSED fail2ban needs to be able to read the journal 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHBA-2015:0458 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Internal Links: 1132514 1133248

Description Florian La Roche 2014-07-01 05:52:34 UTC 
Description of problem:

Happening with RHEL7-RC and pretty new fail2ban-0.9-5.fc21.noarch:


Email coming in "Anacron job cron.daily":
/etc/cron.daily/logrotate:
logrotate_script: line 1: /usr/bin/fail2ban-client: Permission denied


auditd.log:

type=AVC msg=audit(1404180396.994:11092): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11092): arch=c000003e syscall=59 success=no exit=-13 a0=2528410 a1=25274b0 a2=2527040 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(
none) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11093): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11093): arch=c000003e syscall=21 success=no exit=-13 a0=2528410 a1=1 a2=7fff2607f640 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11094): avc:  denied  { read } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_exec_t:s0 tclass=file




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2014-07-01 08:51:44 UTC 
You can add a local policy for now. We allow it in Fedora/RHEL7.1

#grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
#semodule -i mypol.pp
Comment 7 Jason Bradley Nance 2014-11-25 02:15:07 UTC 
Note sure what the final changes are from this report but here are the additions I had to make to get fail2ban to be fully functional for the ssh jails on selinux-policy-targeted-3.12.1-153.el7_0.11.noarch:

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        class file { read execute open execute_no_trans };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute open execute_no_trans };

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class file { read open getattr };
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:file { read open getattr };
Comment 8 Milos Malik 2014-11-25 08:11:42 UTC 
All rules mentioned in comment#7 are present in selinux-policy >= 3.13.1-9.el7.
Comment 9 Matrix 2014-11-26 08:27:59 UTC 
On what date will selinux-policy-3.13.1-9.el7 be available as an update?
Comment 10 Milos Malik 2014-11-26 08:34:28 UTC 
The public beta or general availability dates for RHEL-7.1 are not yet sure, but you can download the policy from here:

 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/
Comment 12 errata-xmlrpc 2015-03-05 10:41:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html
Note You need to log in before you can comment on or make changes to this bug.