Menu
▾
▴
Re: [Fail2ban-users] [PATCH] Add pyinotify support
|
From: Arthur D. <mis...@bl...> - 2010-01-07 17:05:57
|
On Thu, 2010-01-07 at 15:42 +0000, Jonathan Underwood wrote:
> 2010/1/7 Arthur Dent <mis...@bl...>:
> > OK - I must still be doing something stupid...
> >
> > # cd /home/mark/Installs/fail2ban-0.8.4/
> > [root@mydomain fail2ban-0.8.4]# patch -p0 < /home/mark/Download/pyinotify.patch
>
> You need patch -p1 here.
>
>
> $ cd fail2ban-0.8.4
> $ patch -p1 <../pyinotify.patch
> patching file config/jail.conf
> patching file server/filterinotify.py
> patching file server/jail.py
Ahhh.. Sorry. Yes that worked. Thanks!
OK - Only very limited testing so far I'm afraid, but here is what I've
found...
With both patches ("pyinotify support" and "Set socket file descriptor
in AsyncServer.start to be CLOEXEC") applied I did a full SELinux
"touch /.autorelabel; reboot" to ensure all files are correctly labeled
with SELinux file context.
After the reboot (with SELinux in Enforcing mode) I found that F2B had
failed to start and there were 3 SELinux denials as listed below:
Putting SELinux into permissive mode allows F2B to restart but produces
a slew of SEL AVCs (too many to list here but I will pack them up and
send them off-list to anyone who wants them...)
This is pretty much the limit of my expertise, but I am grateful to
everyone involved in this project for the work they do and if there is
anything more I can do please let me know...
Best regards
Mark
==================8<==================================================
SELinux AVC denials in Enforcing mode:
ALERT1
======
Summary:
SELinux is preventing the fail2ban-server from using potentially mislabeled
files (/tmp).
Detailed Description:
SELinux has denied fail2ban-server access to potentially mislabeled file(s)
(/tmp). This means that SELinux will not allow fail2ban-server to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want fail2ban-server to access this files, you need to relabel them using
restorecon -v '/tmp'. You might want to relabel the entire directory using
restorecon -R -v '/tmp'.
Additional Information:
Source Context system_u:system_r:fail2ban_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects /tmp [ dir ]
Source fail2ban-server
Source Path /usr/bin/python
Port <Unknown>
Host VM_Fedora11.VirtualMachines
Source RPM Packages python-2.6-9.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-92.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name VM_Fedora11.VirtualMachines
Platform Linux VM_Fedora11.VirtualMachines
2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24
16:41:17 UTC 2009 i686 i686
Alert Count 1
First Seen Thu 07 Jan 2010 04:32:08 PM GMT
Last Seen Thu 07 Jan 2010 04:32:08 PM GMT
Local ID 740ef6af-f91f-471f-94f1-ba98ab71e67d
Line Numbers
Raw Audit Messages
node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.459:7): avc: denied { search } for pid=1501 comm="fail2ban-server" name="tmp" dev=dm-0 ino=26 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.459:7): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544d0 a1=c2 a2=180 a3=12b528 items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
ALERT2
======
Summary:
SELinux is preventing fail2ban-server (fail2ban_t) "search" to / (tmpfs_t).
Detailed Description:
SELinux denied access requested by fail2ban-server. / may be a mislabeled. /
default SELinux type is root_t, but its current type is tmpfs_t. Changing this
file back to the default type, may fix your problem.
File contexts can be assigned to a file in the following ways.
* Files created in a directory receive the file context of the parent
directory by default.
* The SELinux policy might override the default label inherited from the
parent directory by specifying a process running in context A which creates
a file in a directory labeled B will instead create the file with label C.
An example of this would be the dhcp client running with the dhclient_t type
and creates a file in the directory /etc. This file would normally receive
the etc_t type due to parental inheritance but instead the file is labeled
with the net_conf_t type because the SELinux policy specifies this.
* Users can change the file context on a file using tools such as chcon, or
restorecon.
This file could have been mislabeled either by user error, or if an normally
confined application was run under the wrong domain.
However, this might also indicate a bug in SELinux because the file should not
have been labeled with this type.
If you believe this is a bug, please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
You can restore the default system context to this file by executing the
restorecon command. restorecon '/', if this file is a directory, you can
recursively restore using restorecon -R '/'.
Fix Command:
restorecon '/'
Additional Information:
Source Context system_u:system_r:fail2ban_t:s0
Target Context system_u:object_r:tmpfs_t:s0
Target Objects / [ dir ]
Source fail2ban-server
Source Path /usr/bin/python
Port <Unknown>
Host VM_Fedora11.VirtualMachines
Source RPM Packages python-2.6-9.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-92.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name restorecon
Host Name VM_Fedora11.VirtualMachines
Platform Linux VM_Fedora11.VirtualMachines
2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24
16:41:17 UTC 2009 i686 i686
Alert Count 1
First Seen Thu 07 Jan 2010 04:32:08 PM GMT
Last Seen Thu 07 Jan 2010 04:32:08 PM GMT
Local ID cf0042f2-1680-4866-b5bf-bf4ba681d088
Line Numbers
Raw Audit Messages
node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.483:9): avc: denied { search } for pid=1501 comm="fail2ban-server" name="/" dev=tmpfs ino=6633 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.483:9): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544c0 a1=c2 a2=180 a3=380eee items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
ALERT3
======
Summary:
SELinux is preventing the fail2ban-server from using potentially mislabeled
files (/var/tmp).
Detailed Description:
SELinux has denied fail2ban-server access to potentially mislabeled file(s)
(/var/tmp). This means that SELinux will not allow fail2ban-server to use these
files. It is common for users to edit files in their home directory or tmp
directories and then move (mv) them to system directories. The problem is that
the files end up with the wrong file context which confined applications are not
allowed to access.
Allowing Access:
If you want fail2ban-server to access this files, you need to relabel them using
restorecon -v '/var/tmp'. You might want to relabel the entire directory using
restorecon -R -v '/var/tmp'.
Additional Information:
Source Context system_u:system_r:fail2ban_t:s0
Target Context system_u:object_r:tmp_t:s0
Target Objects /var/tmp [ dir ]
Source fail2ban-server
Source Path /usr/bin/python
Port <Unknown>
Host VM_Fedora11.VirtualMachines
Source RPM Packages python-2.6-9.fc11
Target RPM Packages filesystem-2.4.21-1.fc11
Policy RPM selinux-policy-3.6.12-92.fc11
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name home_tmp_bad_labels
Host Name VM_Fedora11.VirtualMachines
Platform Linux VM_Fedora11.VirtualMachines
2.6.30.10-105.fc11.i686.PAE #1 SMP Thu Dec 24
16:41:17 UTC 2009 i686 i686
Alert Count 1
First Seen Thu 07 Jan 2010 04:32:08 PM GMT
Last Seen Thu 07 Jan 2010 04:32:08 PM GMT
Local ID 4e5cac6c-8999-47ba-ae68-9eccbdf6f79b
Line Numbers
Raw Audit Messages
node=VM_Fedora11.VirtualMachines type=AVC msg=audit(1262881928.482:8): avc: denied { search } for pid=1501 comm="fail2ban-server" name="tmp" dev=dm-0 ino=44 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:tmp_t:s0 tclass=dir
node=VM_Fedora11.VirtualMachines type=SYSCALL msg=audit(1262881928.482:8): arch=40000003 syscall=5 success=no exit=-13 a0=bfe544c0 a1=c2 a2=180 a3=25620b items=0 ppid=1 pid=1501 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null)
|