Fedora Account System
Red Hat Associate
Red Hat Customer
Description of problem: I am seeing thousands of the following avc denials Summary SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to <Unknown> (var_t). Detailed Description SELinux denied access requested by /usr/libexec/gam_server. It is not expected that this access is required by /usr/libexec/gam_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_t:s0 Target Objects None [ dir ] Affected RPM Packages gamin-0.1.9-4.fc8 [application] Policy RPM selinux-policy-3.0.8-87.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name clfelspc001.dc.clf.rl.ac.uk Platform Linux clfelspc001.dc.clf.rl.ac.uk 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST 2008 x86_64 x86_64 Alert Count 7566 First Seen Thu 28 Feb 2008 01:44:31 PM GMT Last Seen Thu 28 Feb 2008 03:34:20 PM GMT Local ID 9675c0fe-fdc6-4aa6-979f-5cbce02abb2a Line Numbers Raw Audit Messages avc: denied { read } for comm=gam_server dev=sda2 egid=0 euid=0 exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=fedora pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0 subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0 At a lower rate I am also seeing this denial: Summary SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "search" to <Unknown> (var_lib_t). Detailed Description SELinux denied access requested by /usr/libexec/gam_server. It is not expected that this access is required by /usr/libexec/gam_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown> If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_lib_t:s0 Target Objects None [ dir ] Affected RPM Packages gamin-0.1.9-4.fc8 [application] Policy RPM selinux-policy-3.0.8-87.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name clfelspc001.dc.clf.rl.ac.uk Platform Linux clfelspc001.dc.clf.rl.ac.uk 2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST 2008 x86_64 x86_64 Alert Count 1526 First Seen Thu 28 Feb 2008 01:44:31 PM GMT Last Seen Thu 28 Feb 2008 03:35:00 PM GMT Local ID 39260555-d5f9-4d42-a53b-561d3ebbb622 Line Numbers Raw Audit Messages avc: denied { search } for comm=gam_server dev=sda2 egid=0 euid=0 exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lib pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0 subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0
I should also add that I rebooted and did a complete filesystem relabel, but that didn't improve things.. Also, I saw exactly the same problem with selinux-policy-3.0.8-84.fc8.
Is fail2ban executing gam_server?
Well, fail2ban does use gamin. On seeing this flood of denials, I stopped fail2ban, but the denials continued. ps showed two gam_server instances, so I killed them, and the denials stopped. I am not sure if the gam_server instances were started by fail2ban. If they were, they should have been stopped when fail2ban stopped, but that could be a fail2ban bug. I am not sure what else uses/starts gam_server.
Also, I just started fail2ban, and that didn't precipitate a flood of denials. Actually, I just noticed that the gam_server instances are respawned if I kill them (without fail2ban running), but the avc denials have stoped. All very odd.
So why does fail2ban use gam_server? And where in the config is this setup?
(In reply to comment #5) > So why does fail2ban use gam_server? The fail2ban daemon uses gamin to detect when a log file entry has been made > And where in the config is this setup? In /etc/fail2ban/jail.conf - relevant part below: # "backend" specifies the backend used to get files modification. Available # options are "gamin", "polling" and "auto". This option can be overridden in # each jail too (use "gamin" for a jail and "polling" for another). # # gamin: requires Gamin (a file alteration monitor) to be installed. If Gamin # is not installed, Fail2ban will use polling. # polling: uses a polling algorithm which does not require external libraries. # auto: will choose Gamin if available and polling otherwise. backend = auto
You can allow this for now by executing # audit2allow -M mypol -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.0.8-90.fc8
Similar issues on F9 with fail2ban using: fail2ban-0.8.2-14.fc9.noarch selinux-policy-3.3.1-84.fc9.noarch Changing the backend to 'polling' did not seem to help, but implementing the policy change from Dan above has. HTH
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.
I am seeing the same messages in my SELinux log, again relating specifically to fail2ban. This has been going on now for several days. I am using F11 with fail2ban using: fail2ban-0.8.4-23.fc11.noarch selinux-policy-3.6.12-83.fc11.noarch
Please attach the bugs from the SELinux log.
Summary: SELinux is preventing gam_server (fail2ban_t) "read" mysqld_t. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] SELinux denied access requested by gam_server. It is not expected that this access is required by gam_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:system_r:mysqld_t:s0 Target Objects 2251 [ dir ] Source gam_server Source Path /usr/libexec/gam_server Port <Unknown> Host legolas.mollcons.local Source RPM Packages gamin-0.1.10-4.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-83.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name catchall Host Name legolas.mollcons.local Platform Linux legolas.mollcons.local 2.6.30.8-64.fc11.x86_64 #1 SMP Fri Sep 25 04:43:32 EDT 2009 x86_64 x86_64 Alert Count 146 First Seen Wed 07 Oct 2009 08:37:05 PM BST Last Seen Fri 09 Oct 2009 04:39:06 PM BST Local ID fa7cc214-6d31-4c68-8f56-1ff4cd21de46 Line Numbers Raw Audit Messages node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc: denied { read } for pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc: denied { open } for pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir node=legolas.mollcons.local type=SYSCALL msg=audit(1255102746.815:26425): arch=c000003e syscall=2 success=yes exit=9 a0=f215b0 a1=90800 a2=3832569e80 a3=8 items=0 ppid=1 pid=2385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t:s0 key=(null)
Don't run fail2ban using gam_server. You need to change your configuration.
I have changed the jail.conf referred to above to use backend=polling. I will see if that makes any difference. For now this issue can be closed again.