Bug 669966 - fail2ban can't work with tmp files
fail2ban can't work with tmp files
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: fail2ban (Show other bugs)
14
All Linux
low Severity medium
: ---
: ---
Assigned To: Axel Thimm
Fedora Extras Quality Assurance
:
: 697224 (view as bug list)
Depends On: 669965
Blocks:
  Show dependency treegraph
 
Reported: 2011-01-16 04:49 EST by Phil Anderson
Modified: 2011-06-05 04:01 EDT (History)
8 users (show)

See Also:
Fixed In Version: fail2ban-0.8.4-27.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-04-18 00:03:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
AVC messages caused by dshield action (6.91 KB, text/x-log)
2011-01-17 06:49 EST, Phil Anderson
no flags Details

  None (edit)
Description Phil Anderson 2011-01-16 04:49:28 EST
Several fail2ban files require files in /tmp:
dshield
mail-buffered
sendmail-buffered
mynetwatchman

SELinux currently blocks this.  I used the following to resolve the problem:

require {
	type tmp_t;
	type fail2ban_t;
	class dir { write remove_name add_name };
	class file { write getattr read create unlink open append };
}


Take note of bug 669965 which is about fail2ban using insecure tmp files.  Probably best to wait for that to be resolved before changing the SELinux policy, in case they put temp files in a different location.
Comment 1 Miroslav Grepl 2011-01-17 06:39:56 EST
Yes, daemons should not used /tmp. /tmp is for users to store their stuff. 

But I am interested about AVC messages which you are seeing. Could you attach these AVC msgs. I would like to see "comm=" field.

Thank you.
Comment 2 Phil Anderson 2011-01-17 06:49:41 EST
Created attachment 473822 [details]
AVC messages caused by dshield action

As produced by the default /etc/fail2ban/action.d/dshield.conf contained in fail2ban-0.8.4-25.fc14.noarch.
Comment 3 Daniel Walsh 2011-01-17 11:45:16 EST
Can  you change dshield to use /var/run/fail2ban and make sure nothing in fail2ban uses /tmp.
Comment 4 Daniel Walsh 2011-01-17 11:47:29 EST
Phill, 

If you execute the following it should fix your problem.

# sed -i 's|/tmp|/var/run/fail2ban|g' /etc/fail2ban/action.d/dshield.conf

http://danwalsh.livejournal.com/11467.html
Comment 5 Phil Anderson 2011-01-17 19:43:23 EST
Yes, I have been running it like that for a few days now without problems.  But, in terms of updating the package, I suspect that /var/run isn't the place, rather /var/lib, as some of those files stay between restarts/reboots.  But, that's for bug 66965 I guess.
Comment 6 Daniel Walsh 2011-01-18 10:59:09 EST
/var/lib/fail2ban is fine with me.
Comment 7 Fedora Update System 2011-04-09 15:06:59 EDT
fail2ban-0.8.4-27.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc14
Comment 8 Fedora Update System 2011-04-09 15:07:35 EDT
fail2ban-0.8.4-27.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc13
Comment 9 Fedora Update System 2011-04-09 15:08:07 EDT
fail2ban-0.8.4-27.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15
Comment 10 Fedora Update System 2011-04-09 21:43:50 EDT
Package fail2ban-0.8.4-27.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing fail2ban-0.8.4-27.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/fail2ban-0.8.4-27.fc15
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2011-04-18 00:02:31 EDT
fail2ban-0.8.4-27.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Axel Thimm 2011-04-22 03:22:53 EDT
*** Bug 697224 has been marked as a duplicate of this bug. ***
Comment 13 Fedora Update System 2011-04-25 16:50:14 EDT
fail2ban-0.8.4-27.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2011-04-25 16:54:57 EDT
fail2ban-0.8.4-27.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 JM 2011-04-25 23:40:59 EDT
I think the new fail2ban-0.8.4-27.fc14 version is broken, I can't start the ssh-jail with SELinux enabled. 

Check 

https://bugzilla.redhat.com/show_bug.cgi?id=697223

for more informations.

I switched back to the version fail2ban-0.8.4-25.fc14, which still works.
Comment 16 Marco Guazzone 2011-06-05 04:01:09 EDT
Under FC15, still have problems.
I get the same error messages reported in:
  https://bugzilla.redhat.com/show_bug.cgi?id=697223
  https://bugzilla.redhat.com/show_bug.cgi?id=697224

Thanks!

Note You need to log in before you can comment on or make changes to this bug.