Selinux & Fail2Ban

David P. Quigley dpquigl at tycho.nsa.gov
Tue Dec 8 21:52:44 UTC 2009 

On Tue, 2009-12-08 at 21:37 +0000, Arthur Dent wrote:
> On Tue, 2009-12-08 at 22:24 +0100, Dominick Grift wrote:
> 
> > 
> > Your myfail2ban.te file should look like this:
> > 
> > policy_module(myfail2ban, 11.2.1)
> > optional_policy(`
> > gen_require(`
> > attribute domain;
> > type fail2ban_t;
> > ')
> > dontaudit domain fail2ban_t:unix_stream_socket { read write };
> > ')
> 
> That did it - Thanks!
> 
> > A leaked file descriptor is a programming error it is where the programmer forgot to close a file descriptor (bug in fail2ban)
> 
> How can I explain this to the f2b developers so that it can be fixed?
> 

So I have copied a small section from Dan Walsh's blog. Its a bit more
than forgetting to close a file descriptor. The problem is that by
default on exec the child process will inherit all file descriptors from
the parent except ones that are closed before exec or marked close on
exec with the fcntl listed below.

        One of the interesting things about SELinux is its use to
        discover bugs in other code. When I first started working with
        SELinux a few years ago, we started discovering a whole bunch of
        domains wanting to read and write system_u:object_r:initctl_t
        file. This is the context of the /dev/initctl device. After
        investigating for a while we found out something in the boot
        process was leaking an open file descriptor to /dev/initctl.
        This open file descriptor would allow a compromised application
        to change the run level of the system. Of course all of these
        AVC messages were being reported as bugs in SELinux, but really
        they were a serious bug in the boot process. Investigating this
        problem further I found that the default behavior of all file
        descriptors is to have them inherited over the fork/exec. You
        have to execute fcntl(fd, F_SETFD, FD_CLOEXEC); on all file
        descriptors that you do not want to be leaked. Needless to say,
        lots of programmers forget this and leaked file descriptors are
        quite common.
        
        Dan Walsh

> Thanks - yet again!
> 
> Mark
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list