753281 – RFE: let fail2ban use tcp wrappers (hosts.deny)

Bug 753281 - RFE: let fail2ban use tcp wrappers (hosts.deny)

Summary: RFE: let fail2ban use tcp wrappers (hosts.deny)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.1
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	low
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-11-11 19:03 UTC by Cristian Ciupitu
Modified:	2011-12-09 10:01 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-12-09 10:01:25 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Cristian Ciupitu 2011-11-11 19:03:27 UTC

Description of problem:
fail2ban can ban hosts using various methods, including tcp wrappers, i.e. by editing /etc/hosts.deny. Unfortunately the current SELinux policy does not allow fail2ban to use this mechanism, even if it's included in the default fail2ban install (though it's not enabled by default).

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-123.el6.noarch
selinux-policy-targeted-3.7.19-123.el6.noarch
fail2ban-0.8.4-24.el6.noarch

How reproducible:
Every time

Steps to Reproduce:
1. Make sure you enable ssh-tcpwrappe in /etc/fail2ban/jail.conf
[ssh-tcpwrapper]

enabled     = true
filter      = sshd
action      = hostsdeny
              sendmail-whois[name=SSH, dest=you]
ignoreregex = for myuser from
logpath     = /var/log/secure
2. Start fail2ban
3. Trigger ban and unban actions
  
Actual results:
SELinux denials, e.g.:

type=SYSCALL msg=audit(1321030287.006:4922): arch=40000003 syscall=5 success=no exit=-13 a0=98cc018 a1=8401 a2=0 a3=3 items=0 ppid=10813 pid=10972 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1321030287.006:4922): avc:  denied  { append } for  pid=10972 comm="sh" name="hosts.deny" dev=vda2 ino=7054 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:net_conf_t:s0 tclass=file

type=SYSCALL msg=audit(1321031493.535:5121): arch=40000003 syscall=5 success=no exit=-13 a0=9a928e8 a1=80c2 a2=180 a3=f7801 items=0 ppid=12742 pid=12743 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="sed" exe="/bin/sed" subj=unconfined_u:system_r:fail2ban_t:s0 key=(null)
type=AVC msg=audit(1321031493.535:5121): avc:  denied  { write } for  pid=12743 comm="sed" name="etc" dev=vda2 ino=8003 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir

Expected results:
No SELinux denials.

Additional info:
Dan Walsh suggested me to use the following policy, which worked fine for me:

policy_module(myfail2ban, 1.1)
gen_require(`
	type fail2ban_t;
')
sysnet_manage_config(fail2ban_t)
sysnet_etc_filetrans_config(fail2ban_t)

Note You need to log in before you can comment on or make changes to this bug.