Summary: SELinux is preventing /usr/bin/python "dac_override" access . Detailed Description: [fail2ban-server has a permissive type (fail2ban_t). This access was not denied.] SELinux denied access requested by fail2ban-server. It is not expected that this access is required by fail2ban-server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385) Please file a bug report. Additional Information: Source Context unconfined_u:system_r:fail2ban_t:s0 Target Context unconfined_u:system_r:fail2ban_t:s0 Target Objects None [ capability ] Source fail2ban-server Source Path /usr/bin/python Port <Unknown> Host (removed) Source RPM Packages python-2.6.4-27.fc13 Target RPM Packages Policy RPM selinux-policy-3.7.19-62.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name catchall Host Name (removed) Platform Linux (removed) 2.6.34.7-56.fc13.x86_64 #1 SMP Wed Sep 15 03:36:55 UTC 2010 x86_64 x86_64 Alert Count 2 First Seen Wed 06 Oct 2010 20:42:58 BST Last Seen Wed 06 Oct 2010 20:42:58 BST Local ID 0a7f53a3-67f5-43ad-b8dc-696ecd7581cb Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1286394178.876:3653): avc: denied { dac_override } for pid=5658 comm="fail2ban-server" capability=1 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=capability node=(removed) type=AVC msg=audit(1286394178.876:3653): avc: denied { dac_read_search } for pid=5658 comm="fail2ban-server" capability=2 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=capability node=(removed) type=SYSCALL msg=audit(1286394178.876:3653): arch=c000003e syscall=2 success=yes exit=4294967424 a0=ef4a20 a1=0 a2=1b6 a3=0 items=0 ppid=1 pid=5658 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50 comm="fail2ban-server" exe="/usr/bin/python" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null) Hash String generated from catchall,fail2ban-server,fail2ban_t,fail2ban_t,capability,dac_override audit2allow suggests: #============= fail2ban_t ============== allow fail2ban_t self:capability { dac_read_search dac_override };
This occurred when restarting fail2ban.
OK, an update on this, it only seems to occur when I enable a jail which tries to read /var/log/exim/reject.log: [exim-spammers] enabled = true filter = exim-spammers action = iptables-allports[name=exim-spammers] mynetwatchman[port=25] dshield[port=25] complain[logpath=/var/log/exim/main.log] logpath = /var/log/exim/reject.log maxretry = 1 This is not really much different to any of my other jails, which work fine. In fail2ban.log, I see messages like: 2010-10-06 21:58:47,426 fail2ban.comm : WARNING Invalid command: ['set', 'exim-spammers', 'addlogpath', '/var/log/exim/reject.log']
Could you add your output of the following command # ls -lZ /var/log/exim/reject.log dac_override means that a root process is trying to access a file/dir which root does not over permission to look at based on the permissions.
[root@gigalith ~]# ls -lZ /var/log/exim/reject.log -rw-r-----. exim exim unconfined_u:object_r:exim_log_t:s0 /var/log/exim/reject.log
Now it's clear. Dan, I think we should add allow fail2ban self:capability { dac_read_search dac_override }; For reading all log files.
Ok.
Fixed in selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
Have installed selinux-policy-3.7.19-65.fc13.noarch and selinux-policy-targeted-3.7.19-65.fc13.noarch from koji and these appear to fix the problem for me.
Update karma please
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-65.fc13
selinux-policy-3.7.19-65.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.