Bug 435298 - SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to (var_t).
Summary: SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to (var_t).
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-28 15:35 UTC by Jonathan Underwood
Modified: 2009-10-09 22:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:03:13 UTC


Attachments (Terms of Use)

Description Jonathan Underwood 2008-02-28 15:35:23 UTC
Description of problem:
I am seeing thousands of the following avc denials


Summary
    SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "read" to
    <Unknown> (var_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gam_server. It is not
    expected that this access is required by /usr/libexec/gam_server and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gamin-0.1.9-4.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     clfelspc001.dc.clf.rl.ac.uk
Platform                      Linux clfelspc001.dc.clf.rl.ac.uk
                              2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST
                              2008 x86_64 x86_64
Alert Count                   7566
First Seen                    Thu 28 Feb 2008 01:44:31 PM GMT
Last Seen                     Thu 28 Feb 2008 03:34:20 PM GMT
Local ID                      9675c0fe-fdc6-4aa6-979f-5cbce02abb2a
Line Numbers                  

Raw Audit Messages            

avc: denied { read } for comm=gam_server dev=sda2 egid=0 euid=0
exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=fedora
pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0
subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_t:s0 tty=(none) uid=0


At a lower rate I am also seeing this denial:

Summary
    SELinux is preventing /usr/libexec/gam_server (fail2ban_t) "search" to
    <Unknown> (var_lib_t).

Detailed Description
    SELinux denied access requested by /usr/libexec/gam_server. It is not
    expected that this access is required by /usr/libexec/gam_server and this
    access may signal an intrusion attempt. It is also possible that the
    specific version or configuration of the application is causing it to
    require additional access.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown> If this does not work, there is currently no automatic way to
    allow this access. Instead,  you can generate a local policy module to allow
    this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
    Or you can disable SELinux protection altogether. Disabling SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Additional Information        

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         gamin-0.1.9-4.fc8 [application]
Policy RPM                    selinux-policy-3.0.8-87.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall_file
Host Name                     clfelspc001.dc.clf.rl.ac.uk
Platform                      Linux clfelspc001.dc.clf.rl.ac.uk
                              2.6.23.15-137.fc8 #1 SMP Sun Feb 10 17:03:13 EST
                              2008 x86_64 x86_64
Alert Count                   1526
First Seen                    Thu 28 Feb 2008 01:44:31 PM GMT
Last Seen                     Thu 28 Feb 2008 03:35:00 PM GMT
Local ID                      39260555-d5f9-4d42-a53b-561d3ebbb622
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=gam_server dev=sda2 egid=0 euid=0
exe=/usr/libexec/gam_server exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name=lib
pid=2447 scontext=system_u:system_r:fail2ban_t:s0 sgid=0
subj=system_u:system_r:fail2ban_t:s0 suid=0 tclass=dir
tcontext=system_u:object_r:var_lib_t:s0 tty=(none) uid=0

Comment 1 Jonathan Underwood 2008-02-28 16:08:01 UTC
I should also add that I rebooted and did a complete filesystem relabel, but
that didn't improve things.. Also, I saw exactly the same problem with
selinux-policy-3.0.8-84.fc8.

Comment 2 Daniel Walsh 2008-02-28 17:47:33 UTC
Is fail2ban executing gam_server?




Comment 3 Jonathan Underwood 2008-02-28 17:56:39 UTC
Well, fail2ban does use gamin. On seeing this flood of denials, I stopped
fail2ban, but the denials continued. ps showed two gam_server instances, so I
killed them, and the denials stopped. 

I am not sure if the gam_server instances were started by fail2ban. If they
were, they should have been stopped when fail2ban stopped, but that could be a
fail2ban bug.

I am not sure what else uses/starts gam_server.

Comment 4 Jonathan Underwood 2008-02-28 18:10:50 UTC
Also, I just started fail2ban, and that didn't precipitate a flood of denials.

Actually, I just noticed that the gam_server instances are respawned if I kill
them (without fail2ban running), but the avc denials have stoped. All very odd.

Comment 5 Daniel Walsh 2008-02-28 18:27:24 UTC
So why does fail2ban use gam_server?  And where in the config is this setup?

Comment 6 Jonathan Underwood 2008-02-28 18:40:33 UTC
(In reply to comment #5)
> So why does fail2ban use gam_server?  
The fail2ban daemon uses gamin to detect when a log file entry has been made

> And where in the config is this setup?

In /etc/fail2ban/jail.conf - relevant part below:

# "backend" specifies the backend used to get files modification. Available
# options are "gamin", "polling" and "auto". This option can be overridden in
# each jail too (use "gamin" for a jail and "polling" for another).
#
# gamin:   requires Gamin (a file alteration monitor) to be installed. If Gamin
#          is not installed, Fail2ban will use polling.
# polling: uses a polling algorithm which does not require external libraries.
# auto:    will choose Gamin if available and polling otherwise.
backend = auto


Comment 7 Daniel Walsh 2008-02-28 20:42:24 UTC
You can allow this for now by executing 

# audit2allow -M mypol -i /var/log/audit/audit.log 
# semodule -i mypol.pp

Fixed in selinux-policy-3.0.8-90.fc8

Comment 8 Marc Schwartz 2008-08-28 22:34:42 UTC
Similar issues on F9 with fail2ban using:

  fail2ban-0.8.2-14.fc9.noarch
  selinux-policy-3.3.1-84.fc9.noarch

Changing the backend to 'polling' did not seem to help, but implementing the policy change from Dan above has.

HTH

Comment 9 Daniel Walsh 2008-11-17 22:03:13 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Comment 10 Chris Jones 2009-10-09 16:14:16 UTC
I am seeing the same messages in my SELinux log, again relating specifically to fail2ban. This has been going on now for several days.

I am using F11 with fail2ban using:
fail2ban-0.8.4-23.fc11.noarch
selinux-policy-3.6.12-83.fc11.noarch

Comment 11 Daniel Walsh 2009-10-09 19:20:33 UTC
Please attach the bugs from the SELinux log.

Comment 12 Chris Jones 2009-10-09 19:35:37 UTC

Summary:

SELinux is preventing gam_server (fail2ban_t) "read" mysqld_t.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:system_r:mysqld_t:s0
Target Objects                2251 [ dir ]
Source                        gam_server
Source Path                   /usr/libexec/gam_server
Port                          <Unknown>
Host                          legolas.mollcons.local
Source RPM Packages           gamin-0.1.10-4.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-83.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     legolas.mollcons.local
Platform                      Linux legolas.mollcons.local
                              2.6.30.8-64.fc11.x86_64 #1 SMP Fri Sep 25 04:43:32
                              EDT 2009 x86_64 x86_64
Alert Count                   146
First Seen                    Wed 07 Oct 2009 08:37:05 PM BST
Last Seen                     Fri 09 Oct 2009 04:39:06 PM BST
Local ID                      fa7cc214-6d31-4c68-8f56-1ff4cd21de46
Line Numbers                  

Raw Audit Messages            

node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc:  denied  { read } for  pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir

node=legolas.mollcons.local type=AVC msg=audit(1255102746.815:26425): avc:  denied  { open } for  pid=2385 comm="gam_server" name="2251" dev=proc ino=11516 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:mysqld_t:s0 tclass=dir

node=legolas.mollcons.local type=SYSCALL msg=audit(1255102746.815:26425): arch=c000003e syscall=2 success=yes exit=9 a0=f215b0 a1=90800 a2=3832569e80 a3=8 items=0 ppid=1 pid=2385 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gam_server" exe="/usr/libexec/gam_server" subj=system_u:system_r:fail2ban_t:s0 key=(null)

Comment 13 Daniel Walsh 2009-10-09 21:06:21 UTC
Don't run fail2ban using gam_server.  You need to change your configuration.

Comment 14 Chris Jones 2009-10-09 22:13:08 UTC
I have changed the jail.conf referred to above to use backend=polling. I will see if that makes any difference.

For now this issue can be closed again.


Note You need to log in before you can comment on or make changes to this bug.