From: Arthur D. <mis...@bl...> - 2010-01-07 17:05:57
|
On Thu, 2010-01-07 at 15:42 +0000, Jonathan Underwood wrote: > 2010/1/7 Arthur Dent <mis...@bl...>: > > OK - I must still be doing something stupid... > > > > # cd /home/mark/Installs/fail2ban-0.8.4/ > > [root@mydomain fail2ban-0.8.4]# patch -p0 < /home/mark/Download/pyinotify.patch > > You need patch -p1 here. > > > $ cd fail2ban-0.8.4 > $ patch -p1 <../pyinotify.patch > patching file config/jail.conf > patching file server/filterinotify.py > patching file server/jail.py Ahhh.. Sorry. Yes that worked. Thanks! OK - Only very limited testing so far I'm afraid, but here is what I've found... With both patches ("pyinotify support" and "Set socket file descriptor in AsyncServer.start to be CLOEXEC") applied I did a full SELinux "touch /.autorelabel; reboot" to ensure all files are correctly labeled with SELinux file context. After the reboot (with SELinux in Enforcing mode) I found that F2B had failed to start and there were 3 SELinux denials as listed below: Putting SELinux into permissive mode allows F2B to restart but produces a slew of SEL AVCs (too many to list here but I will pack them up and send them off-list to anyone who wants them...) This is pretty much the limit of my expertise, but I am grateful to everyone involved in this project for the work they do and if there is anything more I can do please let me know... Best regards Mark ==================8<================================================== SELinux AVC denials in Enforcing mode: ALERT1 ====== Summary: SELinux is preventing the fail2ban-server from using potentially mislabeled files (/tmp). Detailed Description: SELinux has denied fail2ban-server access to potentially mislabeled file(s) (/tmp). This means that SELinux will not allow fail2ban-server to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want fail2ban-server to access this files, you need to relabel them using restorecon -v '/tmp'. You might want to relabel the entire directory using restorecon -R -v '/tmp'. Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /tmp [ dir ] Source fail2ban-server Source Path /usr/bin/python Port <Unknown> Host VM_Fedora11.VirtualMachines Source RPM Packages python-2.6-9.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPM selinux-policy-3.6.12-92.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name VM_Fedora11.VirtualMachines Platform Linux VM_Fedora11.VirtualMachines 2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24 16:41:17 UTC 2009 i686 i686 Alert Count 1 First Seen Thu 07 Jan 2010 04:32:08 PM GMT Last Seen Thu 07 Jan 2010 04:32:08 PM GMT Local ID 740ef6af-f91f-471f-94f1-ba98ab71e67d Line Numbers Raw Audit Messages node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.459:7): avc: denied { search } for pid=1501 comm="fail2ban-server" name="tmp" dev=dm-0 ino=26 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.459:7): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544d0 a1=c2 a2=180 a3=12b528 items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) ALERT2 ====== Summary: SELinux is preventing fail2ban-server (fail2ban_t) "search" to / (tmpfs_t). Detailed Description: SELinux denied access requested by fail2ban-server. / may be a mislabeled. / default SELinux type is root_t, but its current type is tmpfs_t. Changing this file back to the default type, may fix your problem. File contexts can be assigned to a file in the following ways. * Files created in a directory receive the file context of the parent directory by default. * The SELinux policy might override the default label inherited from the parent directory by specifying a process running in context A which creates a file in a directory labeled B will instead create the file with label C. An example of this would be the dhcp client running with the dhclient_t type and creates a file in the directory /etc. This file would normally receive the etc_t type due to parental inheritance but instead the file is labeled with the net_conf_t type because the SELinux policy specifies this. * Users can change the file context on a file using tools such as chcon, or restorecon. This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain. However, this might also indicate a bug in SELinux because the file should not have been labeled with this type. If you believe this is a bug, please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: You can restore the default system context to this file by executing the restorecon command. restorecon '/', if this file is a directory, you can recursively restore using restorecon -R '/'. Fix Command: restorecon '/' Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:tmpfs_t:s0 Target Objects / [ dir ] Source fail2ban-server Source Path /usr/bin/python Port <Unknown> Host VM_Fedora11.VirtualMachines Source RPM Packages python-2.6-9.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPM selinux-policy-3.6.12-92.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name restorecon Host Name VM_Fedora11.VirtualMachines Platform Linux VM_Fedora11.VirtualMachines 2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24 16:41:17 UTC 2009 i686 i686 Alert Count 1 First Seen Thu 07 Jan 2010 04:32:08 PM GMT Last Seen Thu 07 Jan 2010 04:32:08 PM GMT Local ID cf0042f2-1680-4866-b5bf-bf4ba681d088 Line Numbers Raw Audit Messages node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.483:9): avc: denied { search } for pid=1501 comm="fail2ban-server" name="/" dev=tmpfs ino=6633 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.483:9): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544c0 a1=c2 a2=180 a3=380eee items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) ALERT3 ====== Summary: SELinux is preventing the fail2ban-server from using potentially mislabeled files (/var/tmp). Detailed Description: SELinux has denied fail2ban-server access to potentially mislabeled file(s) (/var/tmp). This means that SELinux will not allow fail2ban-server to use these files. It is common for users to edit files in their home directory or tmp directories and then move (mv) them to system directories. The problem is that the files end up with the wrong file context which confined applications are not allowed to access. Allowing Access: If you want fail2ban-server to access this files, you need to relabel them using restorecon -v '/var/tmp'. You might want to relabel the entire directory using restorecon -R -v '/var/tmp'. Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:tmp_t:s0 Target Objects /var/tmp [ dir ] Source fail2ban-server Source Path /usr/bin/python Port <Unknown> Host VM_Fedora11.VirtualMachines Source RPM Packages python-2.6-9.fc11 Target RPM Packages filesystem-2.4.21-1.fc11 Policy RPM selinux-policy-3.6.12-92.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name home_tmp_bad_labels Host Name VM_Fedora11.VirtualMachines Platform Linux VM_Fedora11.VirtualMachines 2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24 16:41:17 UTC 2009 i686 i686 Alert Count 1 First Seen Thu 07 Jan 2010 04:32:08 PM GMT Last Seen Thu 07 Jan 2010 04:32:08 PM GMT Local ID 4e5cac6c-8999-47ba-ae68-9eccbdf6f79b Line Numbers Raw Audit Messages node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.482:8): avc: denied { search } for pid=1501 comm="fail2ban-server" name="tmp" dev=dm-0 ino=44 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.482:8): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544c0 a1=c2 a2=180 a3=25620b items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) |