From: Serge O. <ser...@gm...> - 2014-01-29 16:58:54
|
2014-01-24 Daniel Black <dan...@in...> > On 01/24/2014 09:01 PM, Serge Olkhovik wrote: > > Not quite true. You could grab one of the iptables-ipset* actions and > move the creation of actionstart into puppet (yes I didn't get around to > writing a ipset provider for puppetlabs/firewall but faking one should > be a simple rule). > Well, I tried ipset but with the same result so I decided to keep trying 'ip route' solution. > After some debugging I found that SELinux is the reason, if I disable > > SELinux, all is fine, audit.log has this record: > > > > type=AVC msg=audit(1390494041.610:524765): avc: denied { getattr } for > > pid=8817 comm="sh" path="/sbin/ip" dev=dm-0 in > > o=392519 scontext=unconfined_u:system_r:fail2ban_t:s0 > > tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file > > > > I found that f2b server has these SEL attributes: > > > > unconfined_u:system_r:fail2ban_t > > (PS I'm using fedora19) > > $ systemctl start fail2ban.service > $ ps -eZ | fgrep fail2ban > system_u:system_r:fail2ban_t:s0 18764 ? 00:00:00 fail2ban-server > > > are you sure its not system_u:... ? Did you start it with systemctl or > an initscript/fail2ban-client? It could make a difference. > Right, but CentOS 6 doesn't have anything like systemctl. Only /sbin/service that is almost similar to call via /etc/init.d/fail2ban % ps -eZ|fgrep fail2ban unconfined_u:system_r:fail2ban_t:s0 64370 ? 00:32:05 fail2ban-server > > > As a solution I tried to build SEL module: > > > > [root@web2]~# cat fail2ban-ifconfig.te > > module fail2ban-ifconfig 1.0; > > > > require { > > type fail2ban_t; > > type ifconfig_exec_t; > > class file getattr; > > class file execute; > > } > > > > #============= fail2ban_t ============== > > allow fail2ban_t ifconfig_exec_t:file { getattr execute }; > > Looks right to me. Finally I was able to build custom policy module that does what I need, 'ip route' works fine finally. Here it is and I think you may add it into global policy if any (or forward it to CentOS package maintainer?): module fail2ban-route 1.0; require { type fail2ban_t; type ifconfig_exec_t; class file { getattr open read execute execute_no_trans }; class netlink_route_socket { nlmsg_write }; class capability net_admin; } allow fail2ban_t ifconfig_exec_t:file { getattr open read execute execute_no_trans }; allow fail2ban_t self:netlink_route_socket nlmsg_write; allow fail2ban_t self:capability net_admin; |