Bug 435298 - SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to (var_t).
SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to (var_t).
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-28 10:35 EST by Jonathan Underwood
Modified: 2009-10-09 18:13 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:03:13 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Underwood 2008-02-28 10:35:23 EST
Description of problem:
I am seeing thousands of the following avc denials


Summary
    SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to
    <Unknown> (var_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gam_server. It is not
    expected that this access is required by /usr/libexec/gam_server and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gamin-0.1.9-4.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     clfelspc001.dc.clf.rl.ac.uk
Platform                      Linux clfelspc001.dc.clf.rl.ac.uk
                              2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST
                              2008 x86_64 x86_64
Alert Count                   7566
First Seen                    Thu 28 Feb 2008 01:44:31 PM GMT
Last Seen                     Thu 28 Feb 2008 03:34:20 PM GMT
Local ID                      9675c0fe-fdc6-4aa6-979f-5cbce02abb2a
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=gam_server dev=sda2 egid=0 euid=0
exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=fedora
pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0
subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0


At a lower rate I am also seeing this denial:

Summary
    SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "search" to
    <Unknown> (var_lib_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gam_server. It is not
    expected that this access is required by /usr/libexec/gam_server and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gamin-0.1.9-4.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     clfelspc001.dc.clf.rl.ac.uk
Platform                      Linux clfelspc001.dc.clf.rl.ac.uk
                              2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST
                              2008 x86_64 x86_64
Alert Count                   1526
First Seen                    Thu 28 Feb 2008 01:44:31 PM GMT
Last Seen                     Thu 28 Feb 2008 03:35:00 PM GMT
Local ID                      39260555-d5f9-4d42-a53b-561d3ebbb622
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=gam_server dev=sda2 egid=0 euid=0
exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lib
pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0
subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0
Comment 1 Jonathan Underwood 2008-02-28 11:08:01 EST
I should also add that I rebooted and did a complete filesystem relabel, but
that didn't improve things.. Also, I saw exactly the same problem with
selinux-policy-3.0.8-84.fc8.
Comment 2 Daniel Walsh 2008-02-28 12:47:33 EST
Is fail2ban executing gam_server?


Comment 3 Jonathan Underwood 2008-02-28 12:56:39 EST
Well, fail2ban does use gamin. On seeing this flood of denials, I stopped
fail2ban, but the denials continued. ps showed two gam_server instances, so I
killed them, and the denials stopped. 

I am not sure if the gam_server instances were started by fail2ban. If they
were, they should have been stopped when fail2ban stopped, but that could be a
fail2ban bug.

I am not sure what else uses/starts gam_server.
Comment 4 Jonathan Underwood 2008-02-28 13:10:50 EST
Also, I just started fail2ban, and that didn't precipitate a flood of denials.

Actually, I just noticed that the gam_server instances are respawned if I kill
them (without fail2ban running), but the avc denials have stoped. All very odd.
Comment 5 Daniel Walsh 2008-02-28 13:27:24 EST
So why does fail2ban use gam_server?  And where in the config is this setup?
Comment 6 Jonathan Underwood 2008-02-28 13:40:33 EST
(In reply to comment #5)
> So why does fail2ban use gam_server?  
The fail2ban daemon uses gamin to detect when a log file entry has been made

> And where in the config is this setup?

In /etc/fail2ban/jail.conf - relevant part below:

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto
Comment 7 Daniel Walsh 2008-02-28 15:42:24 EST
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-90.fc8
Comment 8 Marc Schwartz 2008-08-28 18:34:42 EDT
Similar issues on F9 with fail2ban using:

  fail2ban-0.8.2-14.fc9.noarch
  selinux-policy-3.3.1-84.fc9.noarch

Changing the backend to 'polling' did not seem to help, but implementing the policy change from Dan above has.

HTH
Comment 9 Daniel Walsh 2008-11-17 17:03:13 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.
Comment 10 Chris Jones 2009-10-09 12:14:16 EDT
I am seeing the same messages in my SELinux log, again relating specifically to fail2ban. This has been going on now for several days.

I am using F11 with fail2ban using:
fail2ban-0.8.4-23.fc11.noarch
selinux-policy-3.6.12-83.fc11.noarch
Comment 11 Daniel Walsh 2009-10-09 15:20:33 EDT
Please attach the bugs from the SELinux log.
Comment 12 Chris Jones 2009-10-09 15:35:37 EDT

Summary:

SELinux is preventing gam_server (fail2ban_t) "read" mysqld_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:system_r:mysqld_t:s0
Target Objects                2251 [ dir ]
Source                        gam_server
Source Path                   /usr/libexec/gam_server
Port                          <Unknown>
Host                          legolas.mollcons.local
Source RPM Packages           gamin-0.1.10-4.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     legolas.mollcons.local
Platform                      Linux legolas.mollcons.local
                              2.6.30.8-64.fc11.x86_64 #1 SMP Fri Sep 25 04:43:32
                              EDT 2009 x86_64 x86_64
Alert Count                   146
First Seen                    Wed 07 Oct 2009 08:37:05 PM BST
Last Seen                     Fri 09 Oct 2009 04:39:06 PM BST
Local ID                      fa7cc214-6d31-4c68-8f56-1ff4cd21de46
Line Numbers                  

Raw Audit Messages            

node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc:  denied  { read } for  pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir

node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc:  denied  { open } for  pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir

node=legolas.mollcons.local type=SYSCALL msg=audit(1255102746.815:26425): arch=c000003e syscall=2 success=yes exit=9 a0=f215b0 a1=90800 a2=3832569e80 a3=8 items=0 ppid=1 pid=2385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t:s0 key=(null)
Comment 13 Daniel Walsh 2009-10-09 17:06:21 EDT
Don't run fail2ban using gam_server.  You need to change your configuration.
Comment 14 Chris Jones 2009-10-09 18:13:08 EDT
I have changed the jail.conf referred to above to use backend=polling. I will see if that makes any difference.

For now this issue can be closed again.

Note You need to log in before you can comment on or make changes to this bug.