Bug 1132514 - SELinux policy denies reading from journal
Summary: SELinux policy denies reading from journal
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 1133248
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-21 13:38 UTC by Matrix
Modified: 2015-04-07 22:06 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2015-04-07 22:06:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1114821 0 unspecified CLOSED fail2ban selinux denial 2021-02-22 00:41:40 UTC

Internal Links: 1114821

Description Matrix 2014-08-21 13:38:12 UTC 
Description of problem:
In default configuration fail2ban (f2b) reads from systemd's journal but it cannot because SELinux is preventing it, yet there are not errors reported in f2b's log.

Version-Release number of selected component (if applicable):
fail2ban-0.9-9.el7.noarch

How reproducible:
Always

Steps to Reproduce:
1. Install fail2ban and enable "sshd" jail.
2. $ ausearch -i -m avc


Actual results:
1. f2b is unable to read/follow journal and doesn't know about failed logins. Product is unable to do it's job.
2. Causes admin frustration and anger because of silent failure.

Expected results:
Doesn't work. And f2b doesn't report any errors even though there are.

Additional info:
Comment 1 Orion Poplawski 2014-08-23 19:04:36 UTC 
I've filed a bug to get the policy fixed.  As for the lack of error messages, I'm wondering if that is a systemd-python issue.  Poking around.
Comment 2 peterN 2014-09-19 11:06:54 UTC 
I can confirm this problem. Is there any recommended workaround until the fix for #1133248 is released?
Comment 3 Orion Poplawski 2014-09-19 15:15:59 UTC 
Just the usual method of using audit2allow to create a custom policy module.
Comment 4 Jason Bradley Nance 2014-11-25 02:07:26 UTC 
Here are the missing policies (at least for fail2ban on RHEL 7):



module myfail2ban 1.0;

require {
        type fail2ban_client_exec_t;
        type logrotate_t;
        class file { read execute open execute_no_trans };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute open execute_no_trans };

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir read;
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:dir read;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class file { read open getattr };
}

#============= fail2ban_t ==============
allow fail2ban_t syslogd_var_run_t:file { read open getattr };



You can copy / paste the above into myfail2ban.te, then run:

$ sudo checkmodule -M -m -o myfail2ban.mod myfail2ban.te
$ sudo semodule_package -o myfail2ban.pp -m myfail2ban.mod
$ sudo semodule -i myfail2ban.pp

The reason for the "my" prefix is to not collide with the fail2ban policy provided by selinux-policy-targeted.  Once upstream fixes the policy you can delete your "my" module.
Comment 5 Orion Poplawski 2015-04-07 22:06:26 UTC 
I think this is fixed by the selinux-policy changes.
Note You need to log in before you can comment on or make changes to this bug.