Description of problem: This is not a selinux-policy issue, however selinux-policy can sweep it under the rug. Version-Release number of selected component (if applicable): fail2ban-0.8.4-29.el5 How reproducible: always Steps to Reproduce: # service fail2ban restart # ausearch -m avc -m user_avc -m selinux_err -i -ts recent Actual results: ---- type=SYSCALL msg=audit(07/31/2013 08:32:06.726:419) : arch=x86_64 syscall=execve success=yes exit=0 a0=1a368580 a1=1a368cc0 a2=1a367400 a3=8 items=0 ppid=13320 pid=13321 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=20 comm=iptables exe=/sbin/iptables subj=root:system_r:iptables_t:s0 key=(null) type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180185] dev=sockfs ino=180185 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180180] dev=sockfs ino=180180 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_dgram_socket type=AVC msg=audit(07/31/2013 08:32:06.726:419) : avc: denied { read write } for pid=13321 comm=iptables path=socket:[180377] dev=sockfs ino=180377 scontext=root:system_r:iptables_t:s0 tcontext=root:system_r:initrc_t:s0 tclass=unix_stream_socket ---- Expected results: * file descriptors are not leaked
Please test with https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el6 and see if that helps.
The automated TC, which originally found the issue on RHEL-5, passed with fail2ban-0.8.13-1.el5 package. The same TC executed on RHEL-6.6 passed too when fail2ban-0.8.13-1.el6 package was installed, but selinux-policy for RHEL-6.6 contains dontaudit rules, which hide the leaked file descriptors.
fail2ban-0.8.13-1.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/fail2ban-0.8.13-1.el5
Package fail2ban-0.8.13-1.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-1.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-1.el5 then log in and leave karma (feedback).
Package fail2ban-0.8.13-2.el5: * should fix your issue, * was pushed to the Fedora EPEL 5 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=epel-testing fail2ban-0.8.13-2.el5' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-EPEL-2014-1996/fail2ban-0.8.13-2.el5 then log in and leave karma (feedback).
fail2ban-0.8.13-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.