Bug 548648 - SELinux is preventing iptables "read write" access on unix_dgram_socket.
Summary: SELinux is preventing iptables "read write" access on unix_dgram_socket.
Keywords:
Status: CLOSED DUPLICATE of bug 522767
Alias: None
Product: Fedora
Classification: Fedora
Component: fail2ban
Version: 12
Hardware: x86_64
OS: Linux
low
medium
Target Milestone: ---
Assignee: Axel Thimm
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:26b703ef89b...
: 548649 548650 550850 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-18 02:13 UTC by Jonathan Kamens
Modified: 2010-02-14 16:42 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 522767
Environment:
Last Closed: 2010-02-14 16:42:05 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Jonathan Kamens 2009-12-18 02:13:43 UTC 
This comes when starting up fail2ban.

Summary:

SELinux is preventing iptables "read write" access on unix_dgram_socket.

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug
report.

Additional Information:

Source Context                unconfined_u:system_r:iptables_t:s0
Target Context                unconfined_u:system_r:fail2ban_t:s0
Target Objects                unix_dgram_socket [ unix_dgram_socket ]
Source                        iptables
Source Path                   iptables
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.32-56.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14
                              EST 2009 x86_64 x86_64
Alert Count                   4
First Seen                    Thu 17 Dec 2009 09:11:46 PM EST
Last Seen                     Thu 17 Dec 2009 09:11:46 PM EST
Local ID                      9f265ce1-aedc-49d8-87d3-421e6ce0cc03
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1261102306.563:42307): avc:  denied  { read write } for  pid=8915 comm="iptables" path="socket:[7909351]" dev=sockfs ino=7909351 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket

node=(removed) type=AVC msg=audit(1261102306.563:42307): avc:  denied  { read write } for  pid=8915 comm="iptables" path="socket:[7909912]" dev=sockfs ino=7909912 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=(removed) type=AVC msg=audit(1261102306.563:42307): avc:  denied  { read write } for  pid=8915 comm="iptables" path="socket:[7910118]" dev=sockfs ino=7910118 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket



Hash String generated from  selinux-policy-3.6.32-56.fc12,catchall,iptables,iptables_t,fail2ban_t,unix_dgram_socket,read,write
audit2allow suggests:

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_dgram_socket { read write };
allow iptables_t fail2ban_t:unix_stream_socket { read write };
Comment 1 Jonathan Kamens 2009-12-18 02:19:51 UTC 
I tried to use audit2allow to fix this.  First I ran audit2allow -m fail2ban, which produced this:

module fail2ban 1.0;

require {
        type iptables_t;
        type fail2ban_t;
        class unix_stream_socket { read write };
        class unix_dgram_socket { read write };
}

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_dgram_socket { read write };
allow iptables_t fail2ban_t:unix_stream_socket { read write };

Then I ran it with -M instead of -m and tried to load the policy with semodule and got this:

# semodule -i fail2ban.pp
libsepol.print_missing_requirements: fail2ban's global requirements were not met: type/attribute fail2ban_t (No such file or directory).
libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory).
semodule:  Failed!

I have no idea what to do at this point.
Comment 2 Miroslav Grepl 2009-12-18 11:08:11 UTC 
*** Bug 548649 has been marked as a duplicate of this bug. ***
Comment 3 Miroslav Grepl 2009-12-18 11:08:37 UTC 
*** Bug 548650 has been marked as a duplicate of this bug. ***
Comment 4 Miroslav Grepl 2009-12-18 11:38:22 UTC 
Fail2ban leaking file descriptors.


Jonathan,
try to use audit2allow the following way:

# grep avc /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Comment 5 Daniel Walsh 2009-12-18 13:39:44 UTC 
Jonathan, you were replacing the system fail2ban with your version, which was causing you the problem.  

I usually stick a "my" in front of any local policy

# semodule -i myfail2ban.pp
Comment 6 Miroslav Grepl 2009-12-28 10:41:34 UTC 
*** Bug 550850 has been marked as a duplicate of this bug. ***
Comment 7 Jonathan Underwood 2010-01-03 02:56:22 UTC 
There's a patch in BZ #522767 that should fix this.
Comment 8 Axel Thimm 2010-02-14 16:42:05 UTC 
(In reply to comment #7)
> There's a patch in BZ #522767 that should fix this.    

A new build with this patch is waiting in the bodhi queue. Thanks for the patch!

*** This bug has been marked as a duplicate of bug 522767 ***
Note You need to log in before you can comment on or make changes to this bug.