From: Serge O. <ser...@gm...> - 2014-01-24 10:01:53
|
Could anyone help me with setting up f2b on CentOS 6 host? We manage all our hosts with puppet (and https://forge.puppetlabs.com/puppetlabs/firewall module) and thus cannot use any iptables-like way to ban IP addresses (every puppet run it cleans out f2b records). So we decided to use 'ip route' solution. It works OK on CentOS 5 but doesn't on 6, we're faced with the following problem: 2014-01-23 07:48:30,908 fail2ban.actions.action: INFO HINT on 7f00: "Command not found". Make sure that all commands in 'ip route add unreachable 94.102.56.229' are in the PATH of fail2ban-server process (grep -a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start "fail2ban-server -f" separately, initiate it with "fail2ban-client reload" in another shell session and observe if additional informative error messages appear in the terminals. After some debugging I found that SELinux is the reason, if I disable SELinux, all is fine, audit.log has this record: type=AVC msg=audit(1390494041.610:524765): avc: denied { getattr } for pid=8817 comm="sh" path="/sbin/ip" dev=dm-0 in o=392519 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file I found that f2b server has these SEL attributes: unconfined_u:system_r:fail2ban_t And iptables/ip: [root@web2]/home/solkhovik# ls -lZ /sbin/iptables-1.4.7 lrwxrwxrwx. root root system_u:object_r:*bin_t*:s0 /sbin/iptables-1.4.7 -> iptables-multi [root@web2]/home/solkhovik# ls -lZ /sbin/ip -rwxr-xr-x. root root system_u:object_r:*ifconfig_exec_t*:s0 /sbin/ip As a solution I tried to build SEL module: [root@web2]~# cat fail2ban-ifconfig.te module fail2ban-ifconfig 1.0; require { type fail2ban_t; type ifconfig_exec_t; class file getattr; class file execute; } #============= fail2ban_t ============== allow fail2ban_t ifconfig_exec_t:file { getattr execute }; [root@web2]~# checkmodule -M -m -o fail2ban-ifconfig.mod fail2ban-ifconfig.te checkmodule: loading policy configuration from fail2ban-ifconfig.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 10) to fail2ban-ifconfig.mod [root@web2]~# semodule_package -o fail2ban-ifconfig.pp -m fail2ban-ifconfig.mod [root@web2]~# semodule -i fail2ban-ifconfig.pp But that didn't work unfortunately :( The message in the logs is the same as above. Can anyone help me what do I do wrong? Or is there any better solution? Thanks in advance! |