Fail2Ban
Arthur Dent
misc.lists at blueyonder.co.uk
Fri Jun 26 08:41:10 UTC 2009
Hello all,
Following a spate of unsuccessful but irritating attempts to brute-force my
home Fedora 9 server I decided to install fail2ban (using yum).
Starting it up gave me several AVCs of two types. One example of each type is
pasted below.
Running audit2allow gave me the following policy. I have implemented the
policy, and it works, but should it be necessary? I have googled a bit and
found a couple of old bug reports but I'm not sure they're relevant and I
think they have been incorporated into more recent policies anyway...
policy_module(myfail2ban, 9.1.0)
require {
type iptables_t;
type system_mail_t;
type fail2ban_t;
class unix_stream_socket { read write };
}
#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };
#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };
Does that look OK? Is there a bool I could have set?
Thanks for your help...
Mark
2 x AVCs
========
>From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:30 2009
Return-Path: <SELinux_Troubleshoot at mydomain.com>
Received: from mydomain.com (mydomain.com [127.0.0.1])
by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995
for <root at localhost>; Thu, 25 Jun 2009 19:19:30 +0100
Message-Id: <200906251819.n5PIJUBI003995 at mydomain.com>
Content-Type: multipart/alternative; boundary="===============1813742656=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read
write" fail2ban_t.
From: SELinux_Troubleshoot at mydomain.com
To: root at mydomain.com
Date: Thu, 25 Jun 2009 18:19:30 -0000
Status: RO
Content-Length: 10088
Lines: 157
--===============1813742656==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Summary:
SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:iptables_t:s0
Target Context unconfined_u:system_r:fail2ban_t:s0
Target Objects socket [ unix_stream_socket ]
Source iptables
Source Path /sbin/iptables
Port <Unknown>
Host mydomain.com
Source RPM Packages iptables-1.4.1.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-133.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name mydomain.com
Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 9
First Seen Tue Jun 23 14:12:58 2009
Last Seen Thu Jun 25 19:19:20 2009
Local ID 8291512a-d501-4af1-9e24-25d2052bf649
Line Numbers
Raw Audit Messages
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc: denied { read write } for pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null)
--===============1813742656==--
>From SELinux_Troubleshoot at mydomain.com Thu Jun 25 19:19:31 2009
Return-Path: <SELinux_Troubleshoot at mydomain.com>
Received: from mydomain.com (mydomain.com [127.0.0.1])
by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998
for <root at localhost>; Thu, 25 Jun 2009 19:19:31 +0100
Message-Id: <200906251819.n5PIJVHv003998 at mydomain.com>
Content-Type: multipart/alternative; boundary="===============0749694059=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t)
"read write" fail2ban_t.
From: SELinux_Troubleshoot at mydomain.com
To: root at mydomain.com
Date: Thu, 25 Jun 2009 18:19:31 -0000
Status: RO
Content-Length: 9500
Lines: 151
--===============0749694059==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Summary:
SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.
Detailed Description:
SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context unconfined_u:system_r:system_mail_t:s0
Target Context unconfined_u:system_r:fail2ban_t:s0
Target Objects socket [ unix_stream_socket ]
Source sendmail
Source Path /usr/sbin/sendmail.sendmail
Port <Unknown>
Host mydomain.com
Source RPM Packages sendmail-8.14.2-4.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-133.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name mydomain.com
Platform Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count 3
First Seen Tue Jun 23 14:12:59 2009
Last Seen Thu Jun 25 19:19:20 2009
Local ID 18e4bfc0-cbb2-41a6-af2c-8b271450ed73
Line Numbers
Raw Audit Messages
node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc: denied { read write } for pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null)
--===============0749694059==
More information about the fedora-selinux-list
mailing list