Description of problem: Hello, When enabling [lighttpd-auth] in /etc/fail2ban/jail.local and restarting fail2ban service, I got this error. I am using fail2ban 0.9-2.fc20 and selinux-policy 3.12.1-182.fc20. Thanks SELinux is preventing /usr/bin/python2.7 from using the 'dac_override' capabilities. ***** Plugin dac_override (91.4 confidence) suggests ********************** If vous souhaitez identifier si le domaine nécessite cet accès ou si vous possédez un fichier avec les mauvaises permissions sur votre système Then activez le contrôle complet pour obtenir les informations de chemin du fichier fautif et générer l'erreur à nouveau. Do Activer le contrôle complet # auditctl -w /etc/shadow -p w Tentez de recréer AVC. Puis exécutez # ausearch -m avc -ts recent Si vous voyez un enregistrement PATH, vérifiez les propriétés/permissions du fichier, et corrigez-les, sinon veuillez effectuer un rapport bugzilla. ***** Plugin catchall (9.59 confidence) suggests ************************** If vous pensez que python2.7 devrait avoir des capacités dac_override par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # grep fail2ban-client /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:fail2ban_client_t:s0 Target Context system_u:system_r:fail2ban_client_t:s0 Target Objects [ capability ] Source fail2ban-client Source Path /usr/bin/python2.7 Port <Unknown> Host (removed) Source RPM Packages python-2.7.5-13.fc20.x86_64 Target RPM Packages Policy RPM selinux-policy-3.12.1-182.fc20.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.15.10-201.fc20.x86_64 #1 SMP Wed Aug 27 21:10:06 UTC 2014 x86_64 x86_64 Alert Count 12 First Seen 2014-09-08 17:41:35 CEST Last Seen 2014-09-08 17:55:42 CEST Local ID 7eddf2b0-c2c0-4055-b7c1-d1129ea4e843 Raw Audit Messages type=AVC msg=audit(1410191742.985:594): avc: denied { dac_override } for pid=3026 comm="fail2ban-client" capability=1 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:system_r:fail2ban_client_t:s0 tclass=capability type=SYSCALL msg=audit(1410191742.985:594): arch=x86_64 syscall=stat success=yes exit=0 a0=1f9e900 a1=7fff4f3827e0 a2=7fff4f3827e0 a3=0 items=0 ppid=1 pid=3026 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=fail2ban-client exe=/usr/bin/python2.7 subj=system_u:system_r:fail2ban_client_t:s0 key=(null) Hash: fail2ban-client,fail2ban_client_t,fail2ban_client_t,capability,dac_override Additional info: reporter: libreport-2.2.3 hashmarkername: setroubleshoot kernel: 3.15.10-201.fc20.x86_64 type: libreport
Activer le contrôle complet # auditctl -w /etc/shadow -p w Tentez de recréer AVC. Puis exécutez # ausearch -m avc -ts recent
Created attachment 935800 [details] output of 'ausearch -m avc -ts recent' Hello, Thanks for your reply. Here is the output obtained after removing bypass suggested rules in selinux. semodule -r Mypol auditctl -w /etc/shadow -p w systemctl restart fail2ban.service ausearch -m avc -ts recent
It looks like /var/log/lighttpd/error.log is not readable by root? We could add the dac_override to fail2ban since it wants to read all log files and they could be not readable by root.
Fixed in selinux-policy-3.12.1-196.fc20.src.rpm
Dear Daniel, Many thanks and happy new year. Unfortunately I can't test it anymore, using apache instead of lighttpd Cheers
selinux-policy-3.12.1-197.fc20 has been submitted as an update for Fedora 20. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-197.fc20
Package selinux-policy-3.12.1-197.fc20: * should fix your issue, * was pushed to the Fedora 20 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-197.fc20' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-1398/selinux-policy-3.12.1-197.fc20 then log in and leave karma (feedback).
selinux-policy-3.12.1-197.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.