Selinux & Fail2Ban

Arthur Dent misc.lists at blueyonder.co.uk
Tue Dec 8 20:43:32 UTC 2009 

On Mon, 2009-12-07 at 23:51 +0100, Dominick Grift wrote:

> > > > > > > > [Snip]

> > > > 
> > > > # matchpathcon /usr/bin/fail2ban-server
> > > > /usr/bin/fail2ban-server	system_u:object_r:fail2ban_exec_t:s0
> > > > 
> > > > Is that what you would expect to see?
> > > 
> > > yes, now the question is, is the path labeled the way it should be:
> > > 
> > > ls -alZ /usr/bin/fail2ban-server
> > 
> > # ls -alZ /usr/bin/fail2ban-server
> > -rwxr-xr-x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/fail2ban-server
> > 
> > Hmmmm...
> > 
> > # restorecon -v /usr/bin/fail2ban-server
> > restorecon reset /usr/bin/fail2ban-server context unconfined_u:object_r:bin_t:s0->system_u:object_r:fail2ban_exec_t:s0
> > 
> > # ls -alZ /usr/bin/fail2ban-server
> > -rwxr-xr-x. root root system_u:object_r:fail2ban_exec_t:s0 /usr/bin/fail2ban-server
> > 
> > Ahhh...
> > 
> > Is that more like it?
> 
> Yes that should get you atleast a little closer. I am wondering what else may be mislabeled on your system.
> 
> maybe a relabel/fixfiles restore is in order...

Yes. Good advice.

As it happens there was a new selinux policy available today (using yum
update):
# rpm -q selinux-policy selinux-policy-targeted
selinux-policy-3.6.12-91.fc11.noarch
selinux-policy-targeted-3.6.12-91.fc11.noarch


I removed two of my local policies (log rotation and fail2ban) and put
selinux into permissive mode.

Having updated I did a "touch /.autorelabel; reboot"

Following your 7 point plan I believe I am now at stage 6?
{
1) I believe there is a type created for the process? (fail2ban_exec)
2) I believe there is a type for the executable file (fail2ban_exec)
3) declare the two types init_daemon_domain(). (Not sure about this)
4) The executable file is labelled with the type fail2ban_exec
5) I have started the service (in permissive mode).
}

I got 5 AVCs. 2 on startup and 3 when fail2ban actually hit on a rule.
(Copies of the AVCs below)

So - point 6: Using audit2allow I get this:

=================8<============================================

module myfail2ban 11.2.1;

require {
	type iptables_t;
	type system_mail_t;
	type fail2ban_t;
	class unix_stream_socket { read write };
}

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };

=================8<============================================

So what do you think?

Am I on the right track?

Thanks again for all your help.

Mark


AVCs (I think a couple may be duplicates - I'm running in permissive
mode):

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260298720.4:21): avc: denied { read write } for pid=1907 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
node=troodos.org.uk type=SYSCALL msg=audit(1260298720.4:21): arch=40000003 syscall=11 success=yes exit=0 a0=8a1a250 a1=8a1a460 a2=8a19738 a3=8a1a460 items=0 ppid=1906 pid=1907 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260298720.169:22): avc: denied { read write } for pid=1921 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
node=troodos.org.uk type=SYSCALL msg=audit(1260298720.169:22): arch=40000003 syscall=11 success=yes exit=0 a0=85867d0 a1=8587798 a2=8587670 a3=8587798 items=0 ppid=1919 pid=1921 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260301404.622:121): avc: denied { read write } for pid=2799 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
node=troodos.org.uk type=SYSCALL msg=audit(1260301404.622:121): arch=40000003 syscall=11 success=yes exit=0 a0=88b13e0 a1=88b1618 a2=88b06f8 a3=88b1618 items=0 ppid=2798 pid=2799 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260301405.169:122): avc: denied { read write } for pid=2804 comm="iptables" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
node=troodos.org.uk type=SYSCALL msg=audit(1260301405.169:122): arch=40000003 syscall=11 success=yes exit=0 a0=96e3418 a1=96e3718 a2=96e2700 a3=96e3718 items=0 ppid=1901 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) 

Raw Audit Messages :

node=troodos.org.uk type=AVC msg=audit(1260301405.212:123): avc: denied { read write } for pid=2811 comm="sendmail" path="socket:[16217]" dev=sockfs ino=16217 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket 
node=troodos.org.uk type=SYSCALL msg=audit(1260301405.212:123): arch=40000003 syscall=11 success=yes exit=0 a0=a119518 a1=a119a48 a2=a119750 a3=a119a48 items=0 ppid=2807 pid=2811 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/e4a800dc/attachment.sig>

More information about the fedora-selinux-list mailing list