Could anyone help me with setting up f2b on CentOS 6 host?
We manage all our hosts with puppet (and module) and thus cannot use any iptables-like way to ban IP addresses (every puppet run it cleans out f2b records). So we decided to use 'ip route' solution. It works OK on CentOS 5 but doesn't on 6, we're faced with the following problem:

2014-01-23 07:48:30,908 fail2ban.actions.action: INFO   HINT on 7f00: "Command not found".  Make sure that all commands in 'ip route add unreachable' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals.

After some debugging I found that SELinux is the reason, if I disable SELinux, all is fine, audit.log has this record:

type=AVC msg=audit(1390494041.610:524765): avc:  denied  { getattr } for  pid=8817 comm="sh" path="/sbin/ip" dev=dm-0 in
o=392519 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

I found that f2b server has these SEL attributes:


And iptables/ip:

[root@web2]/home/solkhovik# ls -lZ /sbin/iptables-1.4.7
lrwxrwxrwx. root root system_u:object_r:bin_t:s0       /sbin/iptables-1.4.7 -> iptables-multi
[root@web2]/home/solkhovik# ls -lZ /sbin/ip
-rwxr-xr-x. root root system_u:object_r:ifconfig_exec_t:s0 /sbin/ip

As a solution I tried to build SEL module:

[root@web2]~# cat fail2ban-ifconfig.te
module fail2ban-ifconfig 1.0;

require {
        type fail2ban_t;
        type ifconfig_exec_t;
        class file getattr;
        class file execute;

#============= fail2ban_t ==============
allow fail2ban_t ifconfig_exec_t:file { getattr execute };

[root@web2]~# checkmodule -M -m -o fail2ban-ifconfig.mod fail2ban-ifconfig.te
checkmodule:  loading policy configuration from fail2ban-ifconfig.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to fail2ban-ifconfig.mod
[root@web2]~# semodule_package -o fail2ban-ifconfig.pp -m fail2ban-ifconfig.mod
[root@web2]~# semodule -i fail2ban-ifconfig.pp

But that didn't work unfortunately :( The message in the logs is the same as above.
Can anyone help me what do I do wrong? Or is there any better solution?
Thanks in advance!