1390810 – selinux policy bans fail2ban access to shorewall

Bug 1390810 - selinux policy bans fail2ban access to shorewall

Summary: selinux policy bans fail2ban access to shorewall

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.8
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Lukas Vrabec
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-11-02 01:15 UTC by Sebastian Pauka
Modified:	2017-03-21 09:48 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.7.19-297.el6
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-03-21 09:48:42 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit2allow generated policy (983 bytes, text/plain) 2016-11-02 01:18 UTC, Sebastian Pauka	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:0627	0	normal	SHIPPED_LIVE	selinux-policy bug fix update	2017-03-21 12:29:23 UTC

Description Sebastian Pauka 2016-11-02 01:15:50 UTC

Description of problem:
The default targeted selinux policy does not allow fail2ban to access shorewall. As a result hosts are not correctly banned by shorewall.

Version-Release number of selected component (if applicable):
selinux-policy-targeted: 3.7.19-292.el6
fail2ban: 0.9.4-2.el6
shorewall: 4.5.4-1.el6

How reproducible:
Every Time

Steps to Reproduce:
1. Install shorewall, fail2ban
2. Set fail2ban banaction to shorewall
3. Attempt to ban an ip (e.g. fail2ban-client set sshd banip 192.0.2.1)

Actual results:
Ban does not appear under shorewall and is not entered into iptables


Sample from audit.log:
type=AVC msg=audit(1477982468.364:50635): avc:  denied  { getattr } for  pid=24925 comm="sh" path="/sbin/shorewall" dev=dm-0 ino=15335439 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:shorewall_exec_t:s0 tc
lass=file
type=SYSCALL msg=audit(1477982468.364:50635): arch=c000003e syscall=4 success=no exit=-13 a0=28928b0 a1=7fff33fe83e0 a2=7fff33fe83e0 a3=10 items=0 ppid=24911 pid=24925 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
 tty=(none) ses=29 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)

Sample from /var/log/messages
22947 Nov  1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- stdout: ''
22948 Nov  1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- stderr: '/bin/sh: shorewall: command not found\n'
22949 Nov  1 19:08:32 . fail2ban.action[346]: ERROR shorewall reject 221.194.47.229 -- returned 127
22950 Nov  1 19:08:32 . fail2ban.actions[346]: ERROR Failed to execute ban jail 'sshd' action 'shorewall' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x29c1a28>, 'matches': "Nov  1 01:42:41 . sshd[1009]:       User root from 221.194.47.229 not allowed because none of user's groups are listed in AllowGroups\nNov  1 01:42:42 qphys1114 sshd[1009]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=      221.194.47.229  user=root\nNov  1 01:42:44 qphys1114 sshd[1009]: Failed password for invalid user root from 221.194.47.229 port 47277 ssh2\nNov  1 01:42:46 . sshd[1009]: Failed password for invalid user root from 221.1      94.47.229 port 47277 ssh2\nNov  1 01:42:48 . sshd[1009]: Failed password for invalid user root from 221.194.47.229 port 47277 ssh2\nNov  1 01:42:51 qphys1114 sshd[1019]: User root from 221.194.47.229 not allowed becaus      e none of user's groups are listed in AllowGroups\nNov  1 01:42:51 qphys1114 sshd[1019]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.47.229  user=root\nNov  1 01:42:53 qphys1      114 sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov  1 01:42:56 . sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov  1 01:42:58 qphys1      114 sshd[1019]: Failed password for invalid user root from 221.194.47.229 port 52293 ssh2\nNov  1 01:43:01 qphys1114 sshd[1029]: User root from 221.194.47.229 not allowed because none of user's groups are listed in AllowGroups      \nNov  1 01:43:01 qphys1114 sshd[1029]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.194.47.229  user=root\nNov  1 01:43:03 . sshd[1029]: Failed password for invalid user       root from 221.194.47.229 port 58791 ssh2\nNov  1 01:43:06 . sshd[1029]: Failed password for invalid user root from 221.194.47.229 port 58791 ssh2\nNov  1 01:43:08 . sshd[1029]: Failed password for invalid user       root from 221.194.47.229 port 58791.

Comment 1 Sebastian Pauka 2016-11-02 01:17:01 UTC

Attached a fix generated from audit2allow that removes all failures from audit.log relating to fail2ban.

Comment 2 Sebastian Pauka 2016-11-02 01:18:03 UTC

Created attachment 1216320 [details]
audit2allow generated policy

Comment 9 errata-xmlrpc 2017-03-21 09:48:42 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0627.html

Note You need to log in before you can comment on or make changes to this bug.