Bug 1513100 - SELInux prevents fail2ban from setting resource limits
Summary: SELInux prevents fail2ban from setting resource limits
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Lukas Vrabec
QA Contact: Milos Malik
Depends On:
TreeView+ depends on / blocked
Reported: 2017-11-14 18:26 UTC by Orion Poplawski
Modified: 2018-10-30 10:01 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-10-30 10:01:27 UTC
Target Upstream Version:

Attachments (Terms of Use)
ausearch output (6.63 KB, application/x-gzip)
2017-11-15 16:12 UTC, Orion Poplawski
no flags Details

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1202979 None CLOSED fail2ban with systemd backend may fill FS / hang system after reload 2018-12-27 21:54:39 UTC
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:01:53 UTC

Internal Links: 1202979

Description Orion Poplawski 2017-11-14 18:26:56 UTC
Description of problem:

With SELinux enforcing, fail2ban is limited to 1024 open files.  In permissive it is set to whatever LimitNOFILE is set to.

I don't see any AVCs though, perhaps they are not audited.

Version-Release number of selected component (if applicable):

Comment 2 Orion Poplawski 2017-11-14 18:27:36 UTC
system_u:system_r:fail2ban_t:s0 root      3156     1  0 10:18 ?        00:00:02 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x -b

Comment 3 Milos Malik 2017-11-15 11:04:36 UTC
Please attach the list of SELinux denials that appear in your scenario. My guess is that the list will contain an { setrlimit } AVC.

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

Comment 4 Orion Poplawski 2017-11-15 16:12:51 UTC
Created attachment 1352713 [details]
ausearch output

This seems really odd to me.  Here are messages with dontaudit disabled.  But I'm not seeing anything obvious.  But I definitely have to be in permissive mode for the file limit to be increased.

Comment 5 Orion Poplawski 2017-11-15 16:15:57 UTC
Although it is probably the rlimitinh denial that does it - since presumably systemd sets the file limit before execing the daemon process.

Comment 6 Orion Poplawski 2017-11-15 16:17:23 UTC

type=AVC msg=audit(1510761934.613:358117): avc:  denied  { rlimitinh } for  pid=15602 comm="fail2ban-server" scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=process

since the server is started via fail2ban-client:

# grep Exec /usr/lib/systemd/system/fail2ban.service
ExecStart=/usr/bin/fail2ban-client -x start
ExecStop=/usr/bin/fail2ban-client stop
ExecReload=/usr/bin/fail2ban-client reload

Comment 7 Orion Poplawski 2017-12-06 17:47:10 UTC
This seems to do the trick:

module fail2ban-rlimit 1.0;

require {
        type fail2ban_client_t;
        type fail2ban_t;
        class process { rlimitinh };

allow fail2ban_client_t fail2ban_t:process { rlimitinh };

Comment 11 errata-xmlrpc 2018-10-30 10:01:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.