[Fail2ban-users] CentOS 6 + SELinux + ip route

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Could anyone help me with setting up f2b on CentOS 6 host?
We manage all our hosts with puppet (and
https://forge.puppetlabs.com/puppetlabs/firewall module) and thus cannot
use any iptables-like way to ban IP addresses (every puppet run it cleans
out f2b records). So we decided to use 'ip route' solution. It works OK on
CentOS 5 but doesn't on 6, we're faced with the following problem:

2014-01-23 07:48:30,908 fail2ban.actions.action: INFO   HINT on 7f00:
"Command not found".  Make sure that all commands in 'ip route add
unreachable 94.102.56.229' are in the PATH of fail2ban-server process (grep
-a PATH= /proc/`pidof -x fail2ban-server`/environ). You may want to start
"fail2ban-server -f" separately, initiate it with "fail2ban-client reload"
in another shell session and observe if additional informative error
messages appear in the terminals.

After some debugging I found that SELinux is the reason, if I disable
SELinux, all is fine, audit.log has this record:

type=AVC msg=audit(1390494041.610:524765): avc:  denied  { getattr } for
 pid=8817 comm="sh" path="/sbin/ip" dev=dm-0 in
o=392519 scontext=unconfined_u:system_r:fail2ban_t:s0
tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file

I found that f2b server has these SEL attributes:

unconfined_u:system_r:fail2ban_t

And iptables/ip:

[root@web2]/home/solkhovik# ls -lZ /sbin/iptables-1.4.7
lrwxrwxrwx. root root system_u:object_r:*bin_t*:s0
/sbin/iptables-1.4.7 -> iptables-multi
[root@web2]/home/solkhovik# ls -lZ /sbin/ip
-rwxr-xr-x. root root system_u:object_r:*ifconfig_exec_t*:s0 /sbin/ip

As a solution I tried to build SEL module:

[root@web2]~# cat fail2ban-ifconfig.te
module fail2ban-ifconfig 1.0;

require {
        type fail2ban_t;
        type ifconfig_exec_t;
        class file getattr;
        class file execute;
}

#============= fail2ban_t ==============
allow fail2ban_t ifconfig_exec_t:file { getattr execute };

[root@web2]~# checkmodule -M -m -o fail2ban-ifconfig.mod
fail2ban-ifconfig.te
checkmodule:  loading policy configuration from fail2ban-ifconfig.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to
fail2ban-ifconfig.mod
[root@web2]~# semodule_package -o fail2ban-ifconfig.pp -m
fail2ban-ifconfig.mod
[root@web2]~# semodule -i fail2ban-ifconfig.pp

But that didn't work unfortunately :( The message in the logs is the same
as above.
Can anyone help me what do I do wrong? Or is there any better solution?
Thanks in advance!