Selinux & Fail2Ban
Dominick Grift
domg472 at gmail.com
Tue Dec 8 21:24:39 UTC 2009
On Tue, Dec 08, 2009 at 09:15:48PM +0000, Arthur Dent wrote:
> On Tue, 2009-12-08 at 21:57 +0100, Dominick Grift wrote:
>
> > > So what do you think?
> > >
> > > Am I on the right track?
> >
> > Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };", signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those avc denials and/or silence them:
>
> What exactly *is* a "leaked file descriptor"?
>
>
> > echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
> > echo "optional_policy(\`" >> myfail2ban.te;
> > echo "gen_require(\`" >> myfail2ban.te;
> > echo "attribute domain;" >> myfail2ban.te;
> > echo "type fail2ban_t;" >> myfail2ban.te;
> > echo "\')" >> myfail2ban.te;
> > echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };" >> myfail2ban.te;
> > echo "\')" >> myfail2ban.te;
>
> OK - Thanks for this. It's not the way I'm used to generating local
> policies and I think there may be an error? Once all the lines are
> echo'd into myfail2ban.te this is what I get:
> # cat myfail2ban.te
>
> policy_module(myfail2ban, 11.2.1)
> optional_policy(`
> gen_require(`
> attribute domain;
> type fail2ban_t;
> \')
> dontaudit domain fail2ban_t:unix_stream_socket { read write };
> \')
Your myfail2ban.te file should look like this:
policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
')
A leaked file descriptor is a programming error it is where the programmer forgot to close a file descriptor (bug in fail2ban)
>
> Which won't compile:
> > make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> > sudo semodule -i myfail2ban.pp
> Gives:
>
> # make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> Compiling targeted myfail2ban module
> /usr/bin/checkmodule: loading policy configuration from
> tmp/myfail2ban.tmp
> myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
> 3204:
> \
> #line 2
> myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
> 3214:
> \
> #line 2
> myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
> 3204:
> \
> #line 2
> myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
> 3214:
> \
> #line 2
> /usr/bin/checkmodule: policy configuration loaded
> /usr/bin/checkmodule: writing binary representation (version 10) to
> tmp/myfail2ban.mod
> Creating targeted myfail2ban.pp policy package
> rm tmp/myfail2ban.mod.fc tmp/myfail2ban.mod
>
>
> I'm not exactly sure what you had in mind otherwise I would edit it to
> work...
>
>
> But thanks again. I do appreciate your help!
>
> Mark
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20091208/db88c02f/attachment.sig>
More information about the fedora-selinux-list
mailing list