2014-01-24 Daniel Black <daniel.subs@internode.on.net>
On 01/24/2014 09:01 PM, Serge Olkhovik wrote:

Not quite true. You could grab one of the iptables-ipset* actions and
move the creation of actionstart into puppet (yes I didn't get around to
writing a ipset provider for puppetlabs/firewall but faking one should
be a simple rule).

Well, I tried ipset but with the same result so I decided to keep trying 'ip route' solution.

> After some debugging I found that SELinux is the reason, if I disable
> SELinux, all is fine, audit.log has this record:
>
> type=AVC msg=audit(1390494041.610:524765): avc:  denied  { getattr } for
>  pid=8817 comm="sh" path="/sbin/ip" dev=dm-0 in
> o=392519 scontext=unconfined_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file
>
> I found that f2b server has these SEL attributes:
>
> unconfined_u:system_r:fail2ban_t

(PS I'm using fedora19)

$ systemctl start  fail2ban.service
$ ps -eZ | fgrep fail2ban
system_u:system_r:fail2ban_t:s0 18764 ?        00:00:00 fail2ban-server


are you sure its not system_u:... ? Did you start it with systemctl or
an initscript/fail2ban-client? It could make a difference.

Right, but CentOS 6 doesn't have anything like systemctl. Only /sbin/service that is almost similar to call via /etc/init.d/fail2ban

% ps -eZ|fgrep fail2ban
unconfined_u:system_r:fail2ban_t:s0 64370 ?    00:32:05 fail2ban-server

> As a solution I tried to build SEL module:
>
> [root@web2]~# cat fail2ban-ifconfig.te
> module fail2ban-ifconfig 1.0;
>
> require {
>         type fail2ban_t;
>         type ifconfig_exec_t;
>         class file getattr;
>         class file execute;
> }
>
> #============= fail2ban_t ==============
> allow fail2ban_t ifconfig_exec_t:file { getattr execute };

Looks right to me.

Finally I was able to build custom policy module that does what I need, 'ip route' works fine finally.
Here it is and I think you may add it into global policy if any (or forward it to CentOS package maintainer?):

module fail2ban-route 1.0;

require {
        type fail2ban_t;
type ifconfig_exec_t;
class file { getattr open read execute execute_no_trans };
class netlink_route_socket { nlmsg_write };
        class capability net_admin;
}

allow fail2ban_t ifconfig_exec_t:file { getattr open read execute execute_no_trans };
allow fail2ban_t self:netlink_route_socket nlmsg_write;
allow fail2ban_t self:capability net_admin;