Selinux & Fail2Ban
Arthur Dent
misc.lists at blueyonder.co.uk
Tue Dec 8 20:43:32 UTC 2009
On Mon, 2009-12-07 at 23:51 +0100, Dominick Grift wrote:
> > > > > > > > [Snip]
> > > >
> > > > # matchpathcon /usr/bin/fail2ban-server
> > > > /usr/bin/fail2ban-server system_u:object_r:fail2ban_exec_t:s0
> > > >
> > > > Is that what you would expect to see?
> > >
> > > yes, now the question is, is the path labeled the way it should be:
> > >
> > > ls -alZ /usr/bin/fail2ban-server
> >
> > # ls -alZ /usr/bin/fail2ban-server
> > -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0 /usr/bin/fail2ban-server
> >
> > Hmmmm...
> >
> > # restorecon -v /usr/bin/fail2ban-server
> > restorecon reset /usr/bin/fail2ban-server context unconfined_u:object_r:bin_t:s0->system_u:object_r:fail2ban_exec_t:s0
> >
> > # ls -alZ /usr/bin/fail2ban-server
> > -rwxr-xr-x. root root system_u:object_r:fail2ban_exec_t:s0 /usr/bin/fail2ban-server
> >
> > Ahhh...
> >
> > Is that more like it?
>
> Yes that should get you atleast a little closer. I am wondering what else may be mislabeled on your system.
>
> maybe a relabel/fixfiles restore is in order...
Yes. Good advice.
As it happens there was a new selinux policy available today (using yum
update):
# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.6.12-91.fc11.noarch
selinux-policy-targeted-3.6.12-91.fc11.noarch
I removed two of my local policies (log rotation and fail2ban) and put
selinux into permissive mode.
Having updated I did a "touch /.autorelabel; reboot"
Following your 7 point plan I believe I am now at stage 6?
{
1) I believe there is a type created for the process? (fail2ban_exec)
2) I believe there is a type for the executable file (fail2ban_exec)
3) declare the two types init_daemon_domain(). (Not sure about this)
4) The executable file is labelled with the type fail2ban_exec
5) I have started the service (in permissive mode).
}
I got 5 AVCs. 2 on startup and 3 when fail2ban actually hit on a rule.
(Copies of the AVCs below)
So - point 6: Using audit2allow I get this:
=================8<============================================
module myfail2ban 11.2.1;
require {
type iptables_t;
type system_mail_t;
type fail2ban_t;
class unix_stream_socket { read write };
}
#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };
#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };
=================8<============================================
So what do you think?
Am I on the right track?
Thanks again for all your help.
Mark
AVCs (I think a couple may be duplicates - I'm running in permissive
mode):
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260298720.4:21): avc: denied { read write } for pid=1907 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=troodos.org.uk type=SYSCALL msg=audit(1260298720.4:21): arch=40000003 syscall=11 success=yes exit=0 a0=8a1a250 a1=8a1a460 a2=8a19738 a3=8a1a460 items=0 ppid=1906 pid=1907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260298720.169:22): avc: denied { read write } for pid=1921 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=troodos.org.uk type=SYSCALL msg=audit(1260298720.169:22): arch=40000003 syscall=11 success=yes exit=0 a0=85867d0 a1=8587798 a2=8587670 a3=8587798 items=0 ppid=1919 pid=1921 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260301404.622:121): avc: denied { read write } for pid=2799 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=troodos.org.uk type=SYSCALL msg=audit(1260301404.622:121): arch=40000003 syscall=11 success=yes exit=0 a0=88b13e0 a1=88b1618 a2=88b06f8 a3=88b1618 items=0 ppid=2798 pid=2799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260301405.169:122): avc: denied { read write } for pid=2804 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=troodos.org.uk type=SYSCALL msg=audit(1260301405.169:122): arch=40000003 syscall=11 success=yes exit=0 a0=96e3418 a1=96e3718 a2=96e2700 a3=96e3718 items=0 ppid=1901 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
Raw Audit Messages :
node=troodos.org.uk type=AVC msg=audit(1260301405.212:123): avc: denied { read write } for pid=2811 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=troodos.org.uk type=SYSCALL msg=audit(1260301405.212:123): arch=40000003 syscall=11 success=yes exit=0 a0=a119518 a1=a119a48 a2=a119750 a3=a119a48 items=0 ppid=2807 pid=2811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/e4a800dc/attachment.sig>
More information about the fedora-selinux-list
mailing list