On Thu, Apr 17, 2008 at 1:37 PM, max bianco <maximilianbianco@xxxxxxxxx> wrote: > > On Thu, Apr 17, 2008 at 1:22 PM, max bianco <maximilianbianco@xxxxxxxxx> wrote: > > > > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA1 > > > > > > max bianco wrote: > > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> Hash: SHA1 > > > >> > > > >> > > > >> > > > >> max wrote: > > > >> > Daniel J Walsh wrote: > > > >> >> -----BEGIN PGP SIGNED MESSAGE----- > > > >> >> Hash: SHA1 > > > >> >> > > > >> >> max bianco wrote: > > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote > > > >> >>> access to my box but it had been mentioned recently so I decided to > > > >> >>> test it out. I installed it a few days ago but didn't do anything with > > > >> >>> it till last night. I had forgotten about it but I was perusing log > > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui > > > >> >>> and sure enough it wasn't running. I tried to start it and got > > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the > > > >> >>> service is unrecognized). No problem , i expected as much when I saw > > > >> >>> the AVC's in my log files but I always try things more than once so I > > > >> >>> tried to start it a second time and this time and every time after it > > > >> >>> started without generating a denial. Is this because I manually > > > >> >>> started the service? That doesn't make sense because then it would > > > >> >>> have worked the first time as well but it didn't. I see that there is > > > >> >>> a policy module for fail2ban but if the module is in place then > > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its > > > >> >>> working? I am learning my way around SELinux but I don't feel > > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do > > > >> >>> I start? > > > >> >>> > > > >> >>> Max > > > >> >>> > > > >> >>> -- > > > >> >>> fedora-selinux-list mailing list > > > >> >>> fedora-selinux-list@xxxxxxxxxx > > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > > >> >> Was there a policy upgrade during this time? Problem might have been > > > >> >> fixed. > > > >> >> > > > >> > The time between my first manual attempt to start fail2ban,which > > > >> > generated an SELinux Denial, and the second, which started the service, > > > >> > was about 30 seconds. I checked the logs again today this is a portion > > > >> > of the output from yesterday and today : > > > >> > > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144 > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t). > > > >> >> For complete SELinux messages. run sealert -l > > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 > > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing > > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete > > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] > > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, > > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing > > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For > > > >> >> complete SELinux messages. run sealert -l > > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit > > > >> >> event#012host=localhost.localdomain type=AVC > > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506 > > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 > > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 > > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 > > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL > > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no > > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506 > > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" > > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) > > > >> > > > > >> > At this point Fail2ban reports it is running .That is only a small > > > >> > portion of what is generated but maybe it can give you an idea. > > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection > > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is > > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is > > > >> > still crashing, it will generate an AVC when I try to run it then all > > > >> > the output is lost before I can read the AVC. As i have been flipping > > > >> > back and forth typing this, checking logs, restarting > > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up > > > >> > and running like nothing happened. Now that SETroubleshoot is running I > > > >> > expected to find additional AVC's from today but the last one is from > > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21 > > > >> > like it does (if we count the one I got the first time i tried to start > > > >> > fail2ban manually) > > > >> > > > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff > > > >> > went haywire on me. > > > >> > > > > >> > > > > >> > Summary: > > > >> > > > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to > > > >> > > > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > >> > > > > >> > (rpm_t). > > > >> > > > > >> > Detailed Description: > > > >> > > > > >> > SELinux denied access requested by fail2ban-server. It is not expected > > > >> > that this > > > >> > access is required by fail2ban-server and this access may signal an > > > >> > intrusion > > > >> > attempt. It is also possible that the specific version or configuration > > > >> > of the > > > >> > application is causing it to require additional access. > > > >> > > > > >> > Allowing Access: > > > >> > > > > >> > You can generate a local policy module to allow this access - see FAQ > > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > > > >> > disable > > > >> > SELinux protection altogether. Disabling SELinux protection is not > > > >> > recommended. > > > >> > Please file a bug report > > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > >> > against this package. > > > >> > > > > >> > Additional Information: > > > >> > > > > >> > Source Context system_u:system_r:fail2ban_t:s0 > > > >> > Target Context system_u:system_r:rpm_t:s0 > > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > > > > >> > 00000000000000000000000000000000000000000000000000 > > > >> > 0000000000000000 [ unix_stream_socket ] > > > >> > Source fail2ban-server > > > >> > Source Path /usr/bin/python > > > >> > Port <Unknown> > > > >> > Host localhost.localdomain > > > >> > Source RPM Packages python-2.5.1-15.fc8 > > > >> > Target RPM Packages > > > >> > Policy RPM selinux-policy-3.0.8-95.fc8 > > > >> > Selinux Enabled True > > > >> > Policy Type targeted > > > >> > MLS Enabled True > > > >> > Enforcing Mode Enforcing > > > >> > Plugin Name catchall > > > >> > Host Name localhost.localdomain > > > >> > Platform Linux localhost.localdomain > > > >> > 2.6.24.4-64.fc8 #1 SMP > > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 > > > >> > Alert Count 21 > > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT > > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT > > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f > > > >> > Line Numbers > > > >> > > > > >> > Raw Audit Messages > > > >> > > > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc: > > > >> > denied { connectto } for pid=6314 comm="fail2ban-server" > > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > >> > scontext=system_u:system_r:fail2ban_t:s0 > > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > >> > > > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107): > > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e > > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" > > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > >> > > > > >> > > > > >> > Now that I have SETroubleshoot running i tried the sealert command > > > >> > suggested in the log files : > > > >> > > > > >> > [root@localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> > failed to connect to server: Connection refused > > > >> > [root@localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 > > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not > > > >> > found > > > >> > > > > >> > Ran it twice, second time it worked. > > > >> > I hope i'm not confusing anyone , i'll repost the order of events if > > > >> > need be. I hesitate to file a bug when it could just be me making rookie > > > >> > mistakes. I will try to reproduce again tomorrow on this box and my > > > >> > other F8 to see what I can see but if you have any advice it would be > > > >> > gratefully received. > > > >> > > > > >> > > > > >> > Max > > > >> > > > > >> Please send me your /var/log/audit/audit.log > > > >> > > > >> -----BEGIN PGP SIGNATURE----- > > > >> Version: GnuPG v1.4.9 (GNU/Linux) > > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > > >> > > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW > > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c > > > >> =ayhr > > > >> -----END PGP SIGNATURE----- > > > >> > > > > Looks like several drafts of my mail hit the list, sorry about that > > > > but I had to revise once setroubleshoot started working. Strange, i'll > > > > have to look into it later or maybe its just gmail or thunderbird(time > > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box > > > > once I get back to it. Different F8 box(i686), installed fail2ban, > > > > started service and generated AVC(almost identical) but SETroubleshoot > > > > doesn't crash like it does on the x86_64 box at least not so far. All > > > > of the following is from the i686 box , a portion of audit.log follows > > > > this AVC: > > > > > > > > > > > > Summary: > > > > > > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to > > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > (rpm_t). > > > > > > > > Detailed Description: > > > > > > > > SELinux denied access requested by fail2ban-server. It is not expected that this > > > > access is required by fail2ban-server and this access may signal an intrusion > > > > attempt. It is also possible that the specific version or configuration of the > > > > application is causing it to require additional access. > > > > > > > > Allowing Access: > > > > > > > > You can generate a local policy module to allow this access - see FAQ > > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > > > > SELinux protection altogether. Disabling SELinux protection is not recommended. > > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > > > against this package. > > > > > > > > Additional Information: > > > > > > > > Source Context system_u:system_r:fail2ban_t > > > > Target Context system_u:system_r:rpm_t > > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 00000000000000000000000000000000000000000000000000 > > > > 0000000000000000 [ unix_stream_socket ] > > > > Source fail2ban-server > > > > Source Path /usr/bin/python > > > > Port <Unknown> > > > > Host localhost.localdomain > > > > Source RPM Packages python-2.5.1-15.fc8 > > > > Target RPM Packages > > > > Policy RPM selinux-policy-3.0.8-95.fc8 > > > > Selinux Enabled True > > > > Policy Type targeted > > > > MLS Enabled True > > > > Enforcing Mode Enforcing > > > > Plugin Name catchall > > > > Host Name localhost.localdomain > > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > > > > Alert Count 26 > > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT > > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT > > > > Local ID ede0cda2-138a-4222-936b-289297d95cee > > > > Line Numbers > > > > > > > > Raw Audit Messages > > > > > > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc: > > > > denied { connectto } for pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > > > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47): > > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0 > > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0 > > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) > > > > comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > > > > > > > > > > > > > > > > > > > > > > > > > I am posting a portion of the audit.log relating to fail2ban as the > > > > entire log is quite large. If you want the whole thing unedited then I > > > > will attach it. I think this should be more than enough, i didn't > > > > parse it , just a simple copy and paste. I don't know what you may or > > > > may not find relevant here so it goes from a couple of entries before > > > > fail2ban is mentioned and a few after the last mention of fail2ban. > > > > Most of the entries look identical and end in key=(null) maybe i could > > > > just dismiss it but i take all the AVC's seriously until I know > > > > better: > > > > > > > > > > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for > > > > pid=3045 comm="fail2ban-server" > > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 > > > > scontext=system_u:system_r:fail2ban_t:s0 > > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket > > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102 > > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 > > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" > > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) > > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" > > > > (hostname=?, addr=?, terminal=? res=success)' > > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, > > > > addr=?, terminal=pts/1 res=success)' > > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, > > > > terminal=pts/1 res=success)' > > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500 > > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 > > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, > > > > terminal=pts/1 res=success)' > > > > > > > > Thanks for the help, > > > > > > > This is either a leaked file descriptor or gam_server running as rpm_t. > > > > > > ps -eZ | grep rpm_t > > > > > > failtoban should not be trying to communicate with a service running > > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban > > > should work. > > > > > > > > [root@localhost ~]# ps -eZ | grep rpm_t > > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server > > > > I'll kill the gam_server as you suggest. I will try same on x86_64 box > > to see if its the same problem. If its not then i will post the > > audit.log from it that I promised yesterday. Either way I'll post back > > once i get in front of other f8 box. > > > > Thanks again, > > > > Max > > > I'm not in front of the other box yet but I killed the other instance > of gam_server and reran the command. > > [root@localhost ~]# ps -eZ | grep rpm_t > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server > > it came back right away so I killed it again and rechecked several > times and now it appears to have finally died. > [root@localhost ~]# kill 4074 > > > [root@localhost ~]# ps -eZ | grep rpm_t > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd > > > Max > Gmail is buggy for some reason. I' ll try and keep this coherent. On the i686 box, after I found and killed gam_server( i had to do it twice for it to stay dead) I then got a couple more AVC's (posting AVC's and observations follow): SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t). Detailed Description: SELinux denied access requested by iptables. It is not expected that this access is required by iptables and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:iptables_t Target Context system_u:system_r:fail2ban_t Target Objects socket [ unix_stream_socket ] Source iptables Source Path /sbin/iptables Port <Unknown> Host localhost.localdomain Source RPM Packages iptables-1.3.8-6.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 athlon Alert Count 12 First Seen Thu 17 Apr 2008 01:47:41 PM EDT Last Seen Thu 17 Apr 2008 02:19:47 PM EDT Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35210]" dev=sockfs ino=35210 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35227]" dev=sockfs ino=35227 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: denied { read write } for pid=4622 comm="iptables" path="socket:[35683]" dev=sockfs ino=35683 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77): arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998 a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables" exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) Ok. That one is about iptables. Soon as I started fail2ban , the log showed 3 AVC's as above. Stop Fail2ban and three more generated. Did it twice to see if it was consistent. Started fail2ban twice, each time I started it generated 3 AVC's as above, same when I stopped it , generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban, within a couple of minutes(can't be more exact didn't have a stop watch) saw a new AVC(only after it stops, observations follow AVC): Summary: SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t). Detailed Description: SELinux denied access requested by gam_server. It is not expected that this access is required by gam_server and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:fail2ban_t Target Context system_u:object_r:fs_t Target Objects / [ filesystem ] Source gam_server Source Path <Unknown> Port <Unknown> Host localhost.localdomain Source RPM Packages Target RPM Packages filesystem-2.4.11-1.fc8 Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:54:46 EDT 2008 i686 athlon Alert Count 2 First Seen Thu 17 Apr 2008 01:52:02 PM EDT Last Seen Thu 17 Apr 2008 02:20:17 PM EDT Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc: denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0 ino=2 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem Ok. After I stop Fail2ban i get one instance of this AVC related to gam_server. I started and stopped Fail2ban twice so two AVC's related to gam_server, once after each time I stop fail2ban. No I don't think anyone is stupid, just being clear for my sake and yours. Also ran : ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW had to kill gam_server twice on x86_64 box for it to stay dead, same as on i686. The x86_64 box is the same for the iptables AVC. Same ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when stopping fail2ban. The difference is that the AVC generated after you stop fail2ban is related to sendmail(observations follow AVC): Summary: SELinux is preventing sendmail (system_mail_t) "read write" to socket (fail2ban_t). Detailed Description: SELinux denied access requested by sendmail. It is not expected that this access is required by sendmail and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context system_u:system_r:system_mail_t:s0 Target Context system_u:system_r:fail2ban_t:s0 Target Objects socket [ unix_stream_socket ] Source sendmail Source Path /usr/sbin/sendmail.sendmail Port <Unknown> Host localhost.localdomain Source RPM Packages sendmail-8.14.2-1.fc8 Target RPM Packages Policy RPM selinux-policy-3.0.8-95.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Thu 17 Apr 2008 08:28:37 PM EDT Last Seen Thu 17 Apr 2008 08:30:34 PM EDT Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[22805]" dev=sockfs ino=22805 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[22823]" dev=sockfs ino=22823 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: denied { read write } for pid=3345 comm="sendmail" path="socket:[23071]" dev=sockfs ino=23071 scontext=system_u:system_r:system_mail_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31): arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0 a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=system_u:system_r:system_mail_t:s0 key=(null) Checked processes on x86_64 no sendmail was or is running. Service isn't usually running and isn't now. Looks like a policy bug or both boxes have been tampered with, you tell me, Sulphur is here so they will get nuked soon enough. The sendmail bug may explain the strange behavior I have seen out of Thunderbird and Gmail but sendmail AVC is only generated on x86_64 box, which incidentally is where I saw wierd behavior out of Thunderbird but that may be separate issue, I don't think there is enough evidence yet to make that conclusion despite my feeling that it is related, i'll just have to keep my eyes peeled. I would file a bug report but I'd like to understand this first so I might suggest, even if I can't code, a fix but if you have to explain it ...the bug would end up being read by someone that subscribes to this list so.....let me know, I will file it if you ask me to. If logs, etc are needed I will supply them but if its a genuine bug it should be easily reproducible in under 30 minutes. I checked for processes running as fs_t and system_mail_t before, during, and after starting/stopping fail2ban on x86_64 box, I don't see anything. I feel like i am forgetting something, anyway let me know about the bug report or if you want more logs etc... Thanks, Max -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
