Bug 669966 - fail2ban can't work with tmp files
Summary: fail2ban can't work with tmp files
Alias: None
Product: Fedora
Classification: Fedora
Component: fail2ban
Version: 14
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Axel Thimm
QA Contact: Fedora Extras Quality Assurance
: 697224 (view as bug list)
Depends On: 669965
TreeView+ depends on / blocked
Reported: 2011-01-16 09:49 UTC by Phil Anderson
Modified: 2011-06-05 08:01 UTC (History)
8 users (show)

Fixed In Version: fail2ban-0.8.4-27.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-04-18 04:03:03 UTC
Type: ---

Attachments (Terms of Use)
AVC messages caused by dshield action (6.91 KB, text/x-log)
2011-01-17 11:49 UTC, Phil Anderson
no flags Details

Description Phil Anderson 2011-01-16 09:49:28 UTC
Several fail2ban files require files in /tmp:

SELinux currently blocks this.  I used the following to resolve the problem:

require {
	type tmp_t;
	type fail2ban_t;
	class dir { write remove_name add_name };
	class file { write getattr read create unlink open append };

Take note of bug 669965 which is about fail2ban using insecure tmp files.  Probably best to wait for that to be resolved before changing the SELinux policy, in case they put temp files in a different location.

Comment 1 Miroslav Grepl 2011-01-17 11:39:56 UTC
Yes, daemons should not used /tmp. /tmp is for users to store their stuff. 

But I am interested about AVC messages which you are seeing. Could you attach these AVC msgs. I would like to see "comm=" field.

Thank you.

Comment 2 Phil Anderson 2011-01-17 11:49:41 UTC
Created attachment 473822 [details]
AVC messages caused by dshield action

As produced by the default /etc/fail2ban/action.d/dshield.conf contained in fail2ban-0.8.4-25.fc14.noarch.

Comment 3 Daniel Walsh 2011-01-17 16:45:16 UTC
Can  you change dshield to use /var/run/fail2ban and make sure nothing in fail2ban uses /tmp.

Comment 4 Daniel Walsh 2011-01-17 16:47:29 UTC

If you execute the following it should fix your problem.

# sed -i 's|/tmp|/var/run/fail2ban|g' /etc/fail2ban/action.d/dshield.conf


Comment 5 Phil Anderson 2011-01-18 00:43:23 UTC
Yes, I have been running it like that for a few days now without problems.  But, in terms of updating the package, I suspect that /var/run isn't the place, rather /var/lib, as some of those files stay between restarts/reboots.  But, that's for bug 66965 I guess.

Comment 6 Daniel Walsh 2011-01-18 15:59:09 UTC
/var/lib/fail2ban is fine with me.

Comment 7 Fedora Update System 2011-04-09 19:06:59 UTC
fail2ban-0.8.4-27.fc14 has been submitted as an update for Fedora 14.

Comment 8 Fedora Update System 2011-04-09 19:07:35 UTC
fail2ban-0.8.4-27.fc13 has been submitted as an update for Fedora 13.

Comment 9 Fedora Update System 2011-04-09 19:08:07 UTC
fail2ban-0.8.4-27.fc15 has been submitted as an update for Fedora 15.

Comment 10 Fedora Update System 2011-04-10 01:43:50 UTC
Package fail2ban-0.8.4-27.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing fail2ban-0.8.4-27.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2011-04-18 04:02:31 UTC
fail2ban-0.8.4-27.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 12 Axel Thimm 2011-04-22 07:22:53 UTC
*** Bug 697224 has been marked as a duplicate of this bug. ***

Comment 13 Fedora Update System 2011-04-25 20:50:14 UTC
fail2ban-0.8.4-27.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2011-04-25 20:54:57 UTC
fail2ban-0.8.4-27.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 JM 2011-04-26 03:40:59 UTC
I think the new fail2ban-0.8.4-27.fc14 version is broken, I can't start the ssh-jail with SELinux enabled. 



for more informations.

I switched back to the version fail2ban-0.8.4-25.fc14, which still works.

Comment 16 Marco Guazzone 2011-06-05 08:01:09 UTC
Under FC15, still have problems.
I get the same error messages reported in:


Note You need to log in before you can comment on or make changes to this bug.