Fail2ban and SELinux
max bianco
maximilianbianco at gmail.com
Fri Apr 18 02:02:04 UTC 2008
On Thu, Apr 17, 2008 at 1:37 PM, max bianco <maximilianbianco at gmail.com> wrote:
>
> On Thu, Apr 17, 2008 at 1:22 PM, max bianco <maximilianbianco at gmail.com> wrote:
> >
> > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > >
> > > max bianco wrote:
> > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh <dwalsh at redhat.com> wrote:
> > > >> -----BEGIN PGP SIGNED MESSAGE-----
> > > >> Hash: SHA1
> > > >>
> > > >>
> > > >>
> > > >> max wrote:
> > > >> > Daniel J Walsh wrote:
> > > >> >> -----BEGIN PGP SIGNED MESSAGE-----
> > > >> >> Hash: SHA1
> > > >> >>
> > > >> >> max bianco wrote:
> > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote
> > > >> >>> access to my box but it had been mentioned recently so I decided to
> > > >> >>> test it out. I installed it a few days ago but didn't do anything with
> > > >> >>> it till last night. I had forgotten about it but I was perusing log
> > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui
> > > >> >>> and sure enough it wasn't running. I tried to start it and got
> > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the
> > > >> >>> service is unrecognized). No problem , i expected as much when I saw
> > > >> >>> the AVC's in my log files but I always try things more than once so I
> > > >> >>> tried to start it a second time and this time and every time after it
> > > >> >>> started without generating a denial. Is this because I manually
> > > >> >>> started the service? That doesn't make sense because then it would
> > > >> >>> have worked the first time as well but it didn't. I see that there is
> > > >> >>> a policy module for fail2ban but if the module is in place then
> > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its
> > > >> >>> working? I am learning my way around SELinux but I don't feel
> > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do
> > > >> >>> I start?
> > > >> >>>
> > > >> >>> Max
> > > >> >>>
> > > >> >>> --
> > > >> >>> fedora-selinux-list mailing list
> > > >> >>> fedora-selinux-list at redhat.com
> > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> > > >> >> Was there a policy upgrade during this time? Problem might have been
> > > >> >> fixed.
> > > >> >>
> > > >> > The time between my first manual attempt to start fail2ban,which
> > > >> > generated an SELinux Denial, and the second, which started the service,
> > > >> > was about 30 seconds. I checked the logs again today this is a portion
> > > >> > of the output from yesterday and today :
> > > >> >
> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
> > > >> >> event#012host=localhost.localdomain type=AVC
> > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530
> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
> > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no
> > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR]
> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit
> > > >> >> event#012host=localhost.localdomain type=AVC
> > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530
> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
> > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no
> > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530
> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
> > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing
> > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete
> > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144
> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
> > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t).
> > > >> >> For complete SELinux messages. run sealert -l
> > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d
> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing
> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete
> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951
> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR]
> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion,
> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing
> > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For
> > > >> >> complete SELinux messages. run sealert -l
> > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit
> > > >> >> event#012host=localhost.localdomain type=AVC
> > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506
> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382
> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0
> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0
> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL
> > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no
> > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506
> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python"
> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null)
> > > >> >
> > > >> > At this point Fail2ban reports it is running .That is only a small
> > > >> > portion of what is generated but maybe it can give you an idea.
> > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection
> > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is
> > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is
> > > >> > still crashing, it will generate an AVC when I try to run it then all
> > > >> > the output is lost before I can read the AVC. As i have been flipping
> > > >> > back and forth typing this, checking logs, restarting
> > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up
> > > >> > and running like nothing happened. Now that SETroubleshoot is running I
> > > >> > expected to find additional AVC's from today but the last one is from
> > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21
> > > >> > like it does (if we count the one I got the first time i tried to start
> > > >> > fail2ban manually)
> > > >> >
> > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff
> > > >> > went haywire on me.
> > > >> >
> > > >> >
> > > >> > Summary:
> > > >> >
> > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
> > > >> >
> > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > >> >
> > > >> > (rpm_t).
> > > >> >
> > > >> > Detailed Description:
> > > >> >
> > > >> > SELinux denied access requested by fail2ban-server. It is not expected
> > > >> > that this
> > > >> > access is required by fail2ban-server and this access may signal an
> > > >> > intrusion
> > > >> > attempt. It is also possible that the specific version or configuration
> > > >> > of the
> > > >> > application is causing it to require additional access.
> > > >> >
> > > >> > Allowing Access:
> > > >> >
> > > >> > You can generate a local policy module to allow this access - see FAQ
> > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> > > >> > disable
> > > >> > SELinux protection altogether. Disabling SELinux protection is not
> > > >> > recommended.
> > > >> > Please file a bug report
> > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > > >> > against this package.
> > > >> >
> > > >> > Additional Information:
> > > >> >
> > > >> > Source Context system_u:system_r:fail2ban_t:s0
> > > >> > Target Context system_u:system_r:rpm_t:s0
> > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000
> > > >> >
> > > >> > 00000000000000000000000000000000000000000000000000
> > > >> >
> > > >> > 00000000000000000000000000000000000000000000000000
> > > >> >
> > > >> > 00000000000000000000000000000000000000000000000000
> > > >> > 0000000000000000 [ unix_stream_socket ]
> > > >> > Source fail2ban-server
> > > >> > Source Path /usr/bin/python
> > > >> > Port <Unknown>
> > > >> > Host localhost.localdomain
> > > >> > Source RPM Packages python-2.5.1-15.fc8
> > > >> > Target RPM Packages
> > > >> > Policy RPM selinux-policy-3.0.8-95.fc8
> > > >> > Selinux Enabled True
> > > >> > Policy Type targeted
> > > >> > MLS Enabled True
> > > >> > Enforcing Mode Enforcing
> > > >> > Plugin Name catchall
> > > >> > Host Name localhost.localdomain
> > > >> > Platform Linux localhost.localdomain
> > > >> > 2.6.24.4-64.fc8 #1 SMP
> > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
> > > >> > Alert Count 21
> > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT
> > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT
> > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f
> > > >> > Line Numbers
> > > >> >
> > > >> > Raw Audit Messages
> > > >> >
> > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc:
> > > >> > denied { connectto } for pid=6314 comm="fail2ban-server"
> > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > >> > scontext=system_u:system_r:fail2ban_t:s0
> > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > >> >
> > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107):
> > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e
> > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server"
> > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > >> >
> > > >> >
> > > >> > Now that I have SETroubleshoot running i tried the sealert command
> > > >> > suggested in the log files :
> > > >> >
> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
> > > >> > failed to connect to server: Connection refused
> > > >> > [root at localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2
> > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not
> > > >> > found
> > > >> >
> > > >> > Ran it twice, second time it worked.
> > > >> > I hope i'm not confusing anyone , i'll repost the order of events if
> > > >> > need be. I hesitate to file a bug when it could just be me making rookie
> > > >> > mistakes. I will try to reproduce again tomorrow on this box and my
> > > >> > other F8 to see what I can see but if you have any advice it would be
> > > >> > gratefully received.
> > > >> >
> > > >> >
> > > >> > Max
> > > >> >
> > > >> Please send me your /var/log/audit/audit.log
> > > >>
> > > >> -----BEGIN PGP SIGNATURE-----
> > > >> Version: GnuPG v1.4.9 (GNU/Linux)
> > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> > > >>
> > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW
> > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c
> > > >> =ayhr
> > > >> -----END PGP SIGNATURE-----
> > > >>
> > > > Looks like several drafts of my mail hit the list, sorry about that
> > > > but I had to revise once setroubleshoot started working. Strange, i'll
> > > > have to look into it later or maybe its just gmail or thunderbird(time
> > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box
> > > > once I get back to it. Different F8 box(i686), installed fail2ban,
> > > > started service and generated AVC(almost identical) but SETroubleshoot
> > > > doesn't crash like it does on the x86_64 box at least not so far. All
> > > > of the following is from the i686 box , a portion of audit.log follows
> > > > this AVC:
> > > >
> > > >
> > > > Summary:
> > > >
> > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to
> > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > (rpm_t).
> > > >
> > > > Detailed Description:
> > > >
> > > > SELinux denied access requested by fail2ban-server. It is not expected that this
> > > > access is required by fail2ban-server and this access may signal an intrusion
> > > > attempt. It is also possible that the specific version or configuration of the
> > > > application is causing it to require additional access.
> > > >
> > > > Allowing Access:
> > > >
> > > > You can generate a local policy module to allow this access - see FAQ
> > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
> > > > SELinux protection altogether. Disabling SELinux protection is not recommended.
> > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> > > > against this package.
> > > >
> > > > Additional Information:
> > > >
> > > > Source Context system_u:system_r:fail2ban_t
> > > > Target Context system_u:system_r:rpm_t
> > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000
> > > > 00000000000000000000000000000000000000000000000000
> > > > 00000000000000000000000000000000000000000000000000
> > > > 00000000000000000000000000000000000000000000000000
> > > > 0000000000000000 [ unix_stream_socket ]
> > > > Source fail2ban-server
> > > > Source Path /usr/bin/python
> > > > Port <Unknown>
> > > > Host localhost.localdomain
> > > > Source RPM Packages python-2.5.1-15.fc8
> > > > Target RPM Packages
> > > > Policy RPM selinux-policy-3.0.8-95.fc8
> > > > Selinux Enabled True
> > > > Policy Type targeted
> > > > MLS Enabled True
> > > > Enforcing Mode Enforcing
> > > > Plugin Name catchall
> > > > Host Name localhost.localdomain
> > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
> > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon
> > > > Alert Count 26
> > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT
> > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT
> > > > Local ID ede0cda2-138a-4222-936b-289297d95cee
> > > > Line Numbers
> > > >
> > > > Raw Audit Messages
> > > >
> > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc:
> > > > denied { connectto } for pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > >
> > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47):
> > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0
> > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0
> > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> > > > comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > I am posting a portion of the audit.log relating to fail2ban as the
> > > > entire log is quite large. If you want the whole thing unedited then I
> > > > will attach it. I think this should be more than enough, i didn't
> > > > parse it , just a simple copy and paste. I don't know what you may or
> > > > may not find relevant here so it goes from a couple of entries before
> > > > fail2ban is mentioned and a few after the last mention of fail2ban.
> > > > Most of the entries look identical and end in key=(null) maybe i could
> > > > just dismiss it but i take all the AVC's seriously until I know
> > > > better:
> > > >
> > > >
> > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
> > > > (hostname=?, addr=?, terminal=? res=success)'
> > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for
> > > > pid=3045 comm="fail2ban-server"
> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> > > > scontext=system_u:system_r:fail2ban_t:s0
> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket
> > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102
> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0
> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python"
> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null)
> > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper"
> > > > (hostname=?, addr=?, terminal=? res=success)'
> > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper"
> > > > (hostname=?, addr=?, terminal=? res=success)'
> > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper"
> > > > (hostname=?, addr=?, terminal=? res=success)'
> > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?,
> > > > addr=?, terminal=pts/1 res=success)'
> > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?,
> > > > terminal=pts/1 res=success)'
> > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500
> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023
> > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?,
> > > > terminal=pts/1 res=success)'
> > > >
> > > > Thanks for the help,
> > > >
> > > This is either a leaked file descriptor or gam_server running as rpm_t.
> > >
> > > ps -eZ | grep rpm_t
> > >
> > > failtoban should not be trying to communicate with a service running
> > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban
> > > should work.
> > >
> > >
> > [root at localhost ~]# ps -eZ | grep rpm_t
> > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
> > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server
> >
> > I'll kill the gam_server as you suggest. I will try same on x86_64 box
> > to see if its the same problem. If its not then i will post the
> > audit.log from it that I promised yesterday. Either way I'll post back
> > once i get in front of other f8 box.
> >
> > Thanks again,
> >
> > Max
> >
> I'm not in front of the other box yet but I killed the other instance
> of gam_server and reran the command.
>
> [root at localhost ~]# ps -eZ | grep rpm_t
> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
> system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server
>
> it came back right away so I killed it again and rechecked several
> times and now it appears to have finally died.
> [root at localhost ~]# kill 4074
>
>
> [root at localhost ~]# ps -eZ | grep rpm_t
> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd
>
>
> Max
>
Gmail is buggy for some reason. I' ll try and keep this coherent. On
the i686 box, after I found and killed gam_server( i had to do it
twice for it to stay dead) I then got a couple more AVC's (posting
AVC's and observations follow):
SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t).
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:iptables_t
Target Context system_u:system_r:fail2ban_t
Target Objects socket [ unix_stream_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host localhost.localdomain
Source RPM Packages iptables-1.3.8-6.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
Sat Mar 29 09:54:46 EDT 2008 i686 athlon
Alert Count 12
First Seen Thu 17 Apr 2008 01:47:41 PM EDT
Last Seen Thu 17 Apr 2008 02:19:47 PM EDT
Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
denied { read write } for pid=4622 comm="iptables"
path="socket:[35210]" dev=sockfs ino=35210
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
denied { read write } for pid=4622 comm="iptables"
path="socket:[35227]" dev=sockfs ino=35227
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc:
denied { read write } for pid=4622 comm="iptables"
path="socket:[35683]" dev=sockfs ino=35683
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77):
arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998
a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Ok. That one is about iptables. Soon as I started fail2ban , the log
showed 3 AVC's as above. Stop Fail2ban and three more generated. Did
it twice to see if it was consistent. Started fail2ban twice, each
time I started it generated 3 AVC's as above, same when I stopped it ,
generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban,
within a couple of minutes(can't be more exact didn't have a stop
watch) saw a new AVC(only after it stops, observations follow AVC):
Summary:
SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t).
Detailed Description:
SELinux denied access requested by gam_server. It is not expected that this
access is required by gam_server and this access may signal an intrusion
attempt. It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:fail2ban_t
Target Context system_u:object_r:fs_t
Target Objects / [ filesystem ]
Source gam_server
Source Path <Unknown>
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages filesystem-2.4.11-1.fc8
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
Sat Mar 29 09:54:46 EDT 2008 i686 athlon
Alert Count 2
First Seen Thu 17 Apr 2008 01:52:02 PM EDT
Last Seen Thu 17 Apr 2008 02:20:17 PM EDT
Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc:
denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0
ino=2 scontext=system_u:system_r:fail2ban_t:s0
tcontext=system_u:object_r:fs_t:s0 tclass=filesystem
Ok. After I stop Fail2ban i get one instance of this AVC related to
gam_server. I started and stopped Fail2ban twice so two AVC's related
to gam_server, once after each time I stop fail2ban. No I don't think
anyone is stupid, just being clear for my sake and yours. Also ran :
ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW
had to kill gam_server twice on x86_64 box for it to stay dead, same
as on i686. The x86_64 box is the same for the iptables AVC. Same
ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when
stopping fail2ban. The difference is that the AVC generated after you
stop fail2ban is related to sendmail(observations follow AVC):
Summary:
SELinux is preventing sendmail (system_mail_t) "read write" to socket
(fail2ban_t).
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:system_mail_t:s0
Target Context system_u:system_r:fail2ban_t:s0
Target Objects socket [ unix_stream_socket ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host localhost.localdomain
Source RPM Packages sendmail-8.14.2-1.fc8
Target RPM Packages
Policy RPM selinux-policy-3.0.8-95.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP
Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64
Alert Count 2
First Seen Thu 17 Apr 2008 08:28:37 PM EDT
Last Seen Thu 17 Apr 2008 08:30:34 PM EDT
Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
denied { read write } for pid=3345 comm="sendmail"
path="socket:[22805]" dev=sockfs ino=22805
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
denied { read write } for pid=3345 comm="sendmail"
path="socket:[22823]" dev=sockfs ino=22823
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc:
denied { read write } for pid=3345 comm="sendmail"
path="socket:[23071]" dev=sockfs ino=23071
scontext=system_u:system_r:system_mail_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31):
arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0
a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none)
comm="sendmail" exe="/usr/sbin/sendmail.sendmail"
subj=system_u:system_r:system_mail_t:s0 key=(null)
Checked processes on x86_64 no sendmail was or is running. Service
isn't usually running and isn't now.
Looks like a policy bug or both boxes have been tampered with, you
tell me, Sulphur is here so they will get nuked soon enough. The
sendmail bug may explain the strange behavior I have seen out of
Thunderbird and Gmail but sendmail AVC is only generated on x86_64
box, which incidentally is where I saw wierd behavior out of
Thunderbird but that may be separate issue, I don't think there is
enough evidence yet to make that conclusion despite my feeling that it
is related, i'll just have to keep my eyes peeled. I would file a bug
report but I'd like to understand this first so I might suggest, even
if I can't code, a fix but if you have to explain it ...the bug would
end up being read by someone that subscribes to this list so.....let
me know, I will file it if you ask me to. If logs, etc are needed I
will supply them but if its a genuine bug it should be easily
reproducible in under 30 minutes. I checked for processes running as
fs_t and system_mail_t before, during, and after starting/stopping
fail2ban on x86_64 box, I don't see anything. I feel like i am
forgetting something, anyway let me know about the bug report or if
you want more logs etc...
Thanks,
Max
More information about the fedora-selinux-list
mailing list