This comes when starting up fail2ban. Summary: SELinux is preventing iptables "read write" access on unix_dgram_socket. Detailed Description: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:iptables_t:s0 Target Context unconfined_u:system_r:fail2ban_t:s0 Target Objects unix_dgram_socket [ unix_dgram_socket ] Source iptables Source Path iptables Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.6.32-56.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.31.5-127.fc12.x86_64 #1 SMP Sat Nov 7 21:11:14 EST 2009 x86_64 x86_64 Alert Count 4 First Seen Thu 17 Dec 2009 09:11:46 PM EST Last Seen Thu 17 Dec 2009 09:11:46 PM EST Local ID 9f265ce1-aedc-49d8-87d3-421e6ce0cc03 Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1261102306.563:42307): avc: denied { read write } for pid=8915 comm="iptables" path="socket:[7909351]" dev=sockfs ino=7909351 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_dgram_socket node=(removed) type=AVC msg=audit(1261102306.563:42307): avc: denied { read write } for pid=8915 comm="iptables" path="socket:[7909912]" dev=sockfs ino=7909912 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket node=(removed) type=AVC msg=audit(1261102306.563:42307): avc: denied { read write } for pid=8915 comm="iptables" path="socket:[7910118]" dev=sockfs ino=7910118 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket Hash String generated from selinux-policy-3.6.32-56.fc12,catchall,iptables,iptables_t,fail2ban_t,unix_dgram_socket,read,write audit2allow suggests: #============= iptables_t ============== allow iptables_t fail2ban_t:unix_dgram_socket { read write }; allow iptables_t fail2ban_t:unix_stream_socket { read write };
I tried to use audit2allow to fix this. First I ran audit2allow -m fail2ban, which produced this: module fail2ban 1.0; require { type iptables_t; type fail2ban_t; class unix_stream_socket { read write }; class unix_dgram_socket { read write }; } #============= iptables_t ============== allow iptables_t fail2ban_t:unix_dgram_socket { read write }; allow iptables_t fail2ban_t:unix_stream_socket { read write }; Then I ran it with -M instead of -m and tried to load the policy with semodule and got this: # semodule -i fail2ban.pp libsepol.print_missing_requirements: fail2ban's global requirements were not met: type/attribute fail2ban_t (No such file or directory). libsemanage.semanage_link_sandbox: Link packages failed (No such file or directory). semodule: Failed! I have no idea what to do at this point.
*** Bug 548649 has been marked as a duplicate of this bug. ***
*** Bug 548650 has been marked as a duplicate of this bug. ***
Fail2ban leaking file descriptors. Jonathan, try to use audit2allow the following way: # grep avc /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp
Jonathan, you were replacing the system fail2ban with your version, which was causing you the problem. I usually stick a "my" in front of any local policy # semodule -i myfail2ban.pp
*** Bug 550850 has been marked as a duplicate of this bug. ***
There's a patch in BZ #522767 that should fix this.
(In reply to comment #7) > There's a patch in BZ #522767 that should fix this. A new build with this patch is waiting in the bodhi queue. Thanks for the patch! *** This bug has been marked as a duplicate of bug 522767 ***