Selinux, Fail2ban, iptables BUG
FC10/KDE
Has anyone run across this problem run across this while running
fail2ban-0.8.3-18.fc10.noarch ??
there are two Redhat bug reports on this same problem and they seem to
think it's fixed, but it isn't.
Bug #
499674
491444
Summary:
SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.
Detailed Description:
SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:iptables_t:s0
Target Contextsystem_u:system_r:fail2ban_t:s0
Target Objectssocket [ unix_stream_socket ]
Sourceiptables
Source Path /sbin/iptables
Port
Host biggie
Source RPM Packages iptables-1.4.1.1-2.fc10
Target RPM Packages
Policy RPMselinux-policy-3.5.13-58.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name catchall
Host Name biggie
Platform Linux biggie 2.6.29.1-42.fc10.x86_64 #1 SMP Wed
Apr 22 11:47:13 EDT 2009 x86_64 x86_64
Alert Count 39
First SeenSat 02 May 2009 09:43:41 PM EDT
Last Seen Thu 07 May 2009 01:09:31 AM EDT
Local ID 765a64aa-c7e2-441f-ac75-afdfb7b642b6
Line Numbers
Raw Audit Messages
node=biggie type=AVC msg=audit(1241672971.407:666): avc: denied { read write
} for pid=20191 comm="iptables" path="socket:[10476]" dev=sockfs ino=10476
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=biggie type=AVC msg=audit(1241672971.407:666): avc: denied { read write
} for pid=20191 comm="iptables" path="socket:[10496]" dev=sockfs ino=10496
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket
node=biggie type=SYSCALL msg=audit(1241672971.407:666): arch=c03e
syscall=59 success=yes exit=0 a0=9decb0 a1=9df2f0 a2=9ddb80 a3=3d92f6da70
items=0 ppid=1864 pid=20191 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables"
exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null)
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, Fail2ban, iptables BUG
la, 2009-05-23 kello 12:14 -0400, Jim kirjoitti: > FC10/KDE > > Has anyone run across this problem run across this while running > fail2ban-0.8.3-18.fc10.noarch ?? > > there are two Redhat bug reports on this same problem and they seem to > think it's fixed, but it isn't. > Bug # > 499674 > 491444 Please look at bug # 475237. Though it originally didn't mention your particular problem, the latter was one of many fail2ban-related SELinux denials I encountered. In my case, the problem was solved by building a *local module* enabling the coexistence of fail2ban and SELinux. The procedure is explained in SELinux FAQ, but you may have to repeat the procedure several times. My local.te file is available (off-list) if you need it. Antti -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, Fail2ban, iptables BUG
Jim wrote: FC10/KDE Has anyone run across this problem run across this while running fail2ban-0.8.3-18.fc10.noarch ?? there are two Redhat bug reports on this same problem and they seem to think it's fixed, but it isn't. Bug # 499674 491444 Hi Jim, Glad you done a bugzilla. But joining the selinux-list wouldn't do any harm: http://www.redhat.com/mailman/listinfo/fedora-selinux-list Frank -- msn: frankly3d skype: frankly3d Mailing-List Reply to: Mailing-List Still Learning, Unicode where possible -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Selinux, Fail2ban, iptables BUG
2009/5/23 Jim : > FC10/KDE > > Has anyone run across this problem run across this while running > fail2ban-0.8.3-18.fc10.noarch ?? > > there are two Redhat bug reports on this same problem and they seem to think > it's fixed, but it isn't. > Bug # > 499674 > 491444 > This is a design problem with fail2ban and the way is (ab)uses gamin. See: http://sourceforge.net/tracker/?func=detail&aid=1971871&group_id=121032&atid=689044 > -- > fedora-list mailing list > fedora-list@redhat.com > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines > -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
