Selinux & Fail2Ban
Arthur Dent
misc.lists at blueyonder.co.uk
Tue Dec 8 21:15:48 UTC 2009
On Tue, 2009-12-08 at 21:57 +0100, Dominick Grift wrote:
> > So what do you think?
> >
> > Am I on the right track?
>
> Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };", signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those avc denials and/or silence them:
What exactly *is* a "leaked file descriptor"?
> echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
> echo "optional_policy(\`" >> myfail2ban.te;
> echo "gen_require(\`" >> myfail2ban.te;
> echo "attribute domain;" >> myfail2ban.te;
> echo "type fail2ban_t;" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
> echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
OK - Thanks for this. It's not the way I'm used to generating local
policies and I think there may be an error? Once all the lines are
echo'd into myfail2ban.te this is what I get:
# cat myfail2ban.te
policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
\')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
\')
Which won't compile:
> make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> sudo semodule -i myfail2ban.pp
Gives:
# make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
Compiling targeted myfail2ban module
/usr/bin/checkmodule: loading policy configuration from
tmp/myfail2ban.tmp
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/myfail2ban.mod
Creating targeted myfail2ban.pp policy package
rm tmp/myfail2ban.mod.fc tmp/myfail2ban.mod
I'm not exactly sure what you had in mind otherwise I would edit it to
work...
But thanks again. I do appreciate your help!
Mark
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/f6106c53/attachment.sig>
More information about the fedora-selinux-list
mailing list