Bug 505926 - repeated problems with fail2ban
repeated problems with fail2ban
Status: CLOSED DUPLICATE of bug 522767
Product: Fedora
Classification: Fedora
Component: fail2ban (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-14 14:40 EDT by Randy Wyatt
Modified: 2009-09-11 07:07 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-09-11 07:07:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Randy Wyatt 2009-06-14 14:40:10 EDT
Description of problem:

I have received the following alerts in the setroubleshoot browser


Summary:

SELinux is preventing fail2ban-server (fail2ban_t) "write" usr_t.

Detailed Description:

SELinux denied access requested by fail2ban-server. It is not expected that this
access is required by fail2ban-server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                server [ dir ]
Source                        fail2ban-server
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          rwwyatt.dyndns.org
Source RPM Packages           python-2.6-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rwwyatt.dyndns.org
Platform                      Linux rwwyatt.dyndns.org 2.6.29.4-167.fc11.x86_64
                              #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   11
First Seen                    Sat 13 Jun 2009 07:10:00 PM PDT
Last Seen                     Sat 13 Jun 2009 07:10:01 PM PDT
Local ID                      942e9bd5-bd50-4a8b-992b-52359382dd09
Line Numbers                  

Raw Audit Messages            

node=rwwyatt.dyndns.org type=AVC msg=audit(1244945401.240:16): avc:  denied  { write } for  pid=2024 comm="fail2ban-server" name="server" dev=dm-0 ino=75670064 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=rwwyatt.dyndns.org type=SYSCALL msg=audit(1244945401.240:16): arch=c000003e syscall=87 success=no exit=-13 a0=7fff309ffe70 a1=7f532899f767 a2=47c5d9d7 a3=2422cc8 items=0 ppid=1 pid=2024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)


Summary:

SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:system_mail_t:s0
Target Context                system_u:system_r:fail2ban_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          rwwyatt.dyndns.org
Source RPM Packages           sendmail-8.14.3-5.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rwwyatt.dyndns.org
Platform                      Linux rwwyatt.dyndns.org 2.6.29.4-167.fc11.x86_64
                              #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   6
First Seen                    Sat 13 Jun 2009 07:10:01 PM PDT
Last Seen                     Sun 14 Jun 2009 08:56:14 AM PDT
Local ID                      69a1d064-f0a4-498b-acb4-011538f58869
Line Numbers                  

Raw Audit Messages            

node=rwwyatt.dyndns.org type=AVC msg=audit(1244994974.707:245): avc:  denied  { read write } for  pid=25558 comm="sendmail" path="socket:[11096]" dev=sockfs ino=11096 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=rwwyatt.dyndns.org type=AVC msg=audit(1244994974.707:245): avc:  denied  { read write } for  pid=25558 comm="sendmail" path="socket:[11118]" dev=sockfs ino=11118 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=rwwyatt.dyndns.org type=SYSCALL msg=audit(1244994974.707:245): arch=c000003e syscall=59 success=yes exit=0 a0=17263e0 a1=1726490 a2=1727b10 a3=28 items=0 ppid=25556 pid=25558 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)




Summary:

SELinux is preventing fail2ban-server (fail2ban_t) "write" usr_t.

Detailed Description:

SELinux denied access requested by fail2ban-server. It is not expected that this
access is required by fail2ban-server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:usr_t:s0
Target Objects                server [ dir ]
Source                        fail2ban-server
Source Path                   /usr/bin/python
Port                          <Unknown>
Host                          rwwyatt.dyndns.org
Source RPM Packages           python-2.6-7.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rwwyatt.dyndns.org
Platform                      Linux rwwyatt.dyndns.org 2.6.29.4-167.fc11.x86_64
                              #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   11
First Seen                    Sat 13 Jun 2009 07:10:00 PM PDT
Last Seen                     Sat 13 Jun 2009 07:10:01 PM PDT
Local ID                      942e9bd5-bd50-4a8b-992b-52359382dd09
Line Numbers                  

Raw Audit Messages            

node=rwwyatt.dyndns.org type=AVC msg=audit(1244945401.240:16): avc:  denied  { write } for  pid=2024 comm="fail2ban-server" name="server" dev=dm-0 ino=75670064 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=dir

node=rwwyatt.dyndns.org type=SYSCALL msg=audit(1244945401.240:16): arch=c000003e syscall=87 success=no exit=-13 a0=7fff309ffe70 a1=7f532899f767 a2=47c5d9d7 a3=2422cc8 items=0 ppid=1 pid=2024 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)





Version-Release number of selected component (if applicable):

selinux-policy-3.6.12-39.fc11.noarch
fail2ban-0.8.3-19.fc11.noarch

How reproducible:
Always


Steps to Reproduce:
1. reboot system
2. ensure that fail2ban starts
3.
  
Actual results:

 No mail messages from fail2ban
Expected results:
Normal operation  of fail2ban

Additional info:
Comment 1 Daniel Walsh 2009-06-15 15:15:48 EDT
Looks like you have a directory "server" that is mislabled as a usr_t directory.

You might want to run restorecon -R -v /var/lib

To see if you have mislabeled files under there.
Comment 2 Randy Wyatt 2009-06-15 15:31:30 EDT
After running the command, and restarting fail2ban,  I get the following
alert:
[root@rwwyatt log]# sealert -l 3cb33b7a-66eb-40ed-812a-a1e6a214675c

Summary:

SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:system_mail_t:s0
Target Context                unconfined_u:system_r:fail2ban_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          rwwyatt.dyndns.org
Source RPM Packages           sendmail-8.14.3-5.fc11
Target RPM Packages
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     rwwyatt.dyndns.org
Platform                      Linux rwwyatt.dyndns.org 2.6.29.4-167.fc11.x86_64
                              #1 SMP Wed May 27 17:27:08 EDT 2009 x86_64 x86_64
Alert Count                   2
First Seen                    Mon Jun 15 12:24:01 2009
Last Seen                     Mon Jun 15 12:24:01 2009
Local ID                      3cb33b7a-66eb-40ed-812a-a1e6a214675c
Line Numbers

Raw Audit Messages

node=rwwyatt.dyndns.org type=AVC msg=audit(1245093841.274:676): avc:  denied  { read write } for  pid=31656 comm="sendmail" path="socket:[974137]" dev=sockfs ino=974137 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=rwwyatt.dyndns.org type=AVC msg=audit(1245093841.274:676): avc:  denied  { read write } for  pid=31656 comm="sendmail" path="socket:[974149]" dev=sockfs ino=974149 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=rwwyatt.dyndns.org type=SYSCALL msg=audit(1245093841.274:676): arch=c000003e syscall=59 success=yes exit=0 a0=e32c80 a1=e32d60 a2=e32360 a3=28 items=0 ppid=31654 pid=31656 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=70 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null)



[root@rwwyatt log]#
Comment 3 Daniel Walsh 2009-06-15 15:47:26 EDT
You can ignore this for now.  This is a leaked file descriptor from fail2ban.  SElinux will close the leak and every thing should work properly.
Comment 4 Axel Thimm 2009-09-11 06:49:33 EDT
(In reply to comment #2)
> SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.

(In reply to comment #3)
> You can ignore this for now.  This is a leaked file descriptor from fail2ban. 
> SElinux will close the leak and every thing should work properly.  

I thought this was fixed in bug #425241. :/
Comment 5 Axel Thimm 2009-09-11 07:07:57 EDT

*** This bug has been marked as a duplicate of bug 522767 ***

Note You need to log in before you can comment on or make changes to this bug.