#31 Fail2ban broken with gamin and SElinux

open
Cyril Jaquier
None
5
2008-07-16
2008-05-25
No

Please see:

https://bugzilla.redhat.com/show_bug.cgi?id=437633

and the discussion here:

http://mail.gnome.org/archives/gamin-list/2008-May/msg00000.html

In brief, there's a bad interaction between gam_server and selinux which is breaking fail2ban. The issue is, if some process starts a gam_server as UID root it will be assigned a SElinux domain according to the process that started gam_server. If another UID root process tries to connect to the socket of that first gam_server, according to the gamin logic it should be allowed, since the UID is correct. However, the second process fails to connect because it has a different SElinux domain. In actual fact, this is showing up a security problem in gam_server, in that when used in this way, different processes can get at information thru' gam_server that they shouldn't necessarily have access too.

The gamin maintainer has explained that this is difficult to fix within the current gamin design. Furthermore, he points out that gamin really is designed for servicing desktop needs, rather than the sort of use that fail2ban is using it for.

I would suggest it's probably adviseable to deprecate gamin use in fail2ban in favour of python-inotify (which seems more actively maintained than pyinotify).

I'd be interested in your thoughts on this.

Discussion

  • Cyril Jaquier
    Cyril Jaquier
    2008-07-16

    • assigned_to: nobody --> lostcontrol
     
  • Cyril Jaquier
    Cyril Jaquier
    2008-07-16

    Logged In: YES
    user_id=933467
    Originator: NO

    Pyinotify is in my todo list for quite a long time. I will look at this as soon as possible.

    Thank you.