Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1114821

Summary: fail2ban selinux denial
Product: Red Hat Enterprise Linux 7 Reporter: Florian La Roche <florian.laroche>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: jbnance, matic, mmalik, orion
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:41:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Florian La Roche 2014-07-01 05:52:34 UTC 
Description of problem:

Happening with RHEL7-RC and pretty new fail2ban-0.9-5.fc21.noarch:


Email coming in "Anacron job cron.daily":
/etc/cron.daily/logrotate:
logrotate_script: line 1: /usr/bin/fail2ban-client: Permission denied


auditd.log:

type=AVC msg=audit(1404180396.994:11092): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11092): arch=c000003e syscall=59 success=no exit=-13 a0=2528410 a1=25274b0 a2=2527040 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(
none) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11093): avc:  denied  { execute } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_ex
ec_t:s0 tclass=file
type=SYSCALL msg=audit(1404180396.994:11093): arch=c000003e syscall=21 success=no exit=-13 a0=2528410 a1=1 a2=7fff2607f640 a3=7fff2607f5a0 items=0 ppid=31865 pid=31866 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(n
one) ses=1486 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:logrotate_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1404180396.994:11094): avc:  denied  { read } for  pid=31866 comm="sh" name="fail2ban-client" dev="vda1" ino=138082 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fail2ban_client_exec_t:s0 tclass=file




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Miroslav Grepl 2014-07-01 08:51:44 UTC 
You can add a local policy for now. We allow it in Fedora/RHEL7.1

#grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol
#semodule -i mypol.pp
Comment 7 Jason Nance 2014-11-25 02:15:07 UTC 
Note sure what the final changes are from this report but here are the additions I had to make to get fail2ban to be fully functional for the ssh jails on selinux-policy-targeted-3.12.1-153.el7_0.11.noarch:

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        class file { read execute open execute_no_trans };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute open execute_no_trans };

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class file { read open getattr };
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:file { read open getattr };
Comment 8 Milos Malik 2014-11-25 08:11:42 UTC 
All rules mentioned in comment#7 are present in selinux-policy >= 3.13.1-9.el7.
Comment 9 Matrix 2014-11-26 08:27:59 UTC 
On what date will selinux-policy-3.13.1-9.el7 be available as an update?
Comment 10 Milos Malik 2014-11-26 08:34:28 UTC 
The public beta or general availability dates for RHEL-7.1 are not yet sure, but you can download the policy from here:

 * http://people.redhat.com/dwalsh/SELinux/RHEL7/noarch/
Comment 12 errata-xmlrpc 2015-03-05 10:41:40 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html