Selinux & Fail2Ban

Arthur Dent misc.lists at blueyonder.co.uk
Tue Dec 8 21:15:48 UTC 2009 

On Tue, 2009-12-08 at 21:57 +0100, Dominick Grift wrote:

> > So what do you think?
> > 
> > Am I on the right track?
> 
> Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };", signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those avc denials and/or silence them:

What exactly *is* a "leaked file descriptor"?


> echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
> echo "optional_policy(\`" >> myfail2ban.te;
> echo "gen_require(\`" >> myfail2ban.te;
> echo "attribute domain;" >> myfail2ban.te;
> echo "type fail2ban_t;" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
> echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;

OK - Thanks for this. It's not the way I'm used to generating local
policies and I think there may be an error? Once all the lines are
echo'd into myfail2ban.te this is what I get:
# cat myfail2ban.te

policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
\')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
\')

Which won't compile: 
> make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> sudo semodule -i myfail2ban.pp
Gives:

# make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
Compiling targeted myfail2ban module
/usr/bin/checkmodule:  loading policy configuration from
tmp/myfail2ban.tmp
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to
tmp/myfail2ban.mod
Creating targeted myfail2ban.pp policy package
rm tmp/myfail2ban.mod.fc tmp/myfail2ban.mod


I'm not exactly sure what you had in mind otherwise I would edit it to
work...


But thanks again. I do appreciate your help!

Mark

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/f6106c53/attachment.sig>

More information about the fedora-selinux-list mailing list