Selinux & Fail2Ban
David P. Quigley
dpquigl at tycho.nsa.gov
Tue Dec 8 21:52:44 UTC 2009
On Tue, 2009-12-08 at 21:37 +0000, Arthur Dent wrote:
> On Tue, 2009-12-08 at 22:24 +0100, Dominick Grift wrote:
>
> >
> > Your myfail2ban.te file should look like this:
> >
> > policy_module(myfail2ban, 11.2.1)
> > optional_policy(`
> > gen_require(`
> > attribute domain;
> > type fail2ban_t;
> > ')
> > dontaudit domain fail2ban_t:unix_stream_socket { read write };
> > ')
>
> That did it - Thanks!
>
> > A leaked file descriptor is a programming error it is where the programmer forgot to close a file descriptor (bug in fail2ban)
>
> How can I explain this to the f2b developers so that it can be fixed?
>
So I have copied a small section from Dan Walsh's blog. Its a bit more
than forgetting to close a file descriptor. The problem is that by
default on exec the child process will inherit all file descriptors from
the parent except ones that are closed before exec or marked close on
exec with the fcntl listed below.
One of the interesting things about SELinux is its use to
discover bugs in other code. When I first started working with
SELinux a few years ago, we started discovering a whole bunch of
domains wanting to read and write system_u:object_r:initctl_t
file. This is the context of the /dev/initctl device. After
investigating for a while we found out something in the boot
process was leaking an open file descriptor to /dev/initctl.
This open file descriptor would allow a compromised application
to change the run level of the system. Of course all of these
AVC messages were being reported as bugs in SELinux, but really
they were a serious bug in the boot process. Investigating this
problem further I found that the default behavior of all file
descriptors is to have them inherited over the fork/exec. You
have to execute fcntl(fd, F_SETFD, FD_CLOEXEC); on all file
descriptors that you do not want to be leaked. Needless to say,
lots of programmers forget this and leaked file descriptors are
quite common.
Dan Walsh
> Thanks - yet again!
>
> Mark
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list