-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 max bianco wrote: > On Thu, Apr 17, 2008 at 1:37 PM, max bianco <maximilianbianco@xxxxxxxxx> wrote: >> On Thu, Apr 17, 2008 at 1:22 PM, max bianco <maximilianbianco@xxxxxxxxx> wrote: >> > >> > On Thu, Apr 17, 2008 at 11:25 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> > > >> > > -----BEGIN PGP SIGNED MESSAGE----- >> > > Hash: SHA1 >> > > >> > > max bianco wrote: >> > > > On Wed, Apr 16, 2008 at 8:37 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: >> > > >> -----BEGIN PGP SIGNED MESSAGE----- >> > > >> Hash: SHA1 >> > > >> >> > > >> >> > > >> >> > > >> max wrote: >> > > >> > Daniel J Walsh wrote: >> > > >> >> -----BEGIN PGP SIGNED MESSAGE----- >> > > >> >> Hash: SHA1 >> > > >> >> >> > > >> >> max bianco wrote: >> > > >> >>> I recently installed fail2ban on my F8 box. I don't allow remote >> > > >> >>> access to my box but it had been mentioned recently so I decided to >> > > >> >>> test it out. I installed it a few days ago but didn't do anything with >> > > >> >>> it till last night. I had forgotten about it but I was perusing log >> > > >> >>> files and saw 21 AVC's related it to it. I pulled up my services gui >> > > >> >>> and sure enough it wasn't running. I tried to start it and got >> > > >> >>> denied(it wouldn't start from a terminal at all, complaining that the >> > > >> >>> service is unrecognized). No problem , i expected as much when I saw >> > > >> >>> the AVC's in my log files but I always try things more than once so I >> > > >> >>> tried to start it a second time and this time and every time after it >> > > >> >>> started without generating a denial. Is this because I manually >> > > >> >>> started the service? That doesn't make sense because then it would >> > > >> >>> have worked the first time as well but it didn't. I see that there is >> > > >> >>> a policy module for fail2ban but if the module is in place then >> > > >> >>> shouldn't it have run without issues? Why 21 AVC's and then its >> > > >> >>> working? I am learning my way around SELinux but I don't feel >> > > >> >>> comfortable enough to troubleshoot this problem correctly, so where do >> > > >> >>> I start? >> > > >> >>> >> > > >> >>> Max >> > > >> >>> >> > > >> >>> -- >> > > >> >>> fedora-selinux-list mailing list >> > > >> >>> fedora-selinux-list@xxxxxxxxxx >> > > >> >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > > >> >> Was there a policy upgrade during this time? Problem might have been >> > > >> >> fixed. >> > > >> >> >> > > >> > The time between my first manual attempt to start fail2ban,which >> > > >> > generated an SELinux Denial, and the second, which started the service, >> > > >> > was about 30 seconds. I checked the logs again today this is a portion >> > > >> > of the output from yesterday and today : >> > > >> > >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208229871.594:256): avc: denied { write } for pid=2530 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208229871.594:256): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=eaf2f0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 14 23:24:32 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208229871.595:257): avc: denied { write } for pid=2530 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208229871.595:257): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=d684a0 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2530 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> >> Apr 15 17:26:32 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "getattr" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l fe77e9af-a0e1-442b-a176-08f2db381144 >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "read" to ./config (selinux_config_t). >> > > >> >> For complete SELinux messages. run sealert -l >> > > >> >> 99f22448-5c31-4a6f-8f55-02f7404fba5d >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 >> > > >> >> Apr 15 17:26:36 localhost setroubleshoot: SELinux is preventing >> > > >> >> fail2ban-server (fail2ban_t) "search" to / (security_t). For complete >> > > >> >> SELinux messages. run sealert -l 85b915f3-5a0b-4a2b-9bf1-c3a88bdd5951 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] >> > > >> >> setroubleshoot generated AVC, exiting to avoid recursion, >> > > >> >> context=system_u:system_r:setroubleshootd_t:s0, AVC >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: SELinux is preventing >> > > >> >> iptables (iptables_t) "read write" to socket (fail2ban_t). For >> > > >> >> complete SELinux messages. run sealert -l >> > > >> >> 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> >> Apr 15 17:26:37 localhost setroubleshoot: [program.ERROR] audit >> > > >> >> event#012host=localhost.localdomain type=AVC >> > > >> >> msg=audit(1208294790.920:161): avc: denied { write } for pid=2506 >> > > >> >> comm="setroubleshootd" name="rpm" dev=dm-0 ino=229382 >> > > >> >> scontext=system_u:system_r:setroubleshootd_t:s0 >> > > >> >> tcontext=system_u:object_r:rpm_var_lib_t:s0 >> > > >> >> tclass=dir#012#012host=localhost.localdomain type=SYSCALL >> > > >> >> msg=audit(1208294790.920:161): arch=c000003e syscall=21 success=no >> > > >> >> exit=-13 a0=dbf500 a1=2 a2=0 a3=0 items=0 ppid=1 pid=2506 >> > > >> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > > >> >> fsgid=0 tty=(none) comm="setroubleshootd" exe="/usr/bin/python" >> > > >> >> subj=system_u:system_r:setroubleshootd_t:s0 key=(null) >> > > >> > >> > > >> > At this point Fail2ban reports it is running .That is only a small >> > > >> > portion of what is generated but maybe it can give you an idea. >> > > >> > Subsequently SETroubleshoot crashes, specifically it says: connection >> > > >> > lost /var/run/setroubleshoot/setroubleshoot_server. The other thing is >> > > >> > that I stopped the fail2ban service and rebooted but SETroubleshoot is >> > > >> > still crashing, it will generate an AVC when I try to run it then all >> > > >> > the output is lost before I can read the AVC. As i have been flipping >> > > >> > back and forth typing this, checking logs, restarting >> > > >> > SETroubleshoot(about six or seven times now), SETroubleshoot is now up >> > > >> > and running like nothing happened. Now that SETroubleshoot is running I >> > > >> > expected to find additional AVC's from today but the last one is from >> > > >> > yesterday concerning fail2ban. The Alert Count should show 22 not 21 >> > > >> > like it does (if we count the one I got the first time i tried to start >> > > >> > fail2ban manually) >> > > >> > >> > > >> > This is the AVC i was getting from Fail2ban before all this ....stuff >> > > >> > went haywire on me. >> > > >> > >> > > >> > >> > > >> > Summary: >> > > >> > >> > > >> > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to >> > > >> > >> > > >> > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > (rpm_t). >> > > >> > >> > > >> > Detailed Description: >> > > >> > >> > > >> > SELinux denied access requested by fail2ban-server. It is not expected >> > > >> > that this >> > > >> > access is required by fail2ban-server and this access may signal an >> > > >> > intrusion >> > > >> > attempt. It is also possible that the specific version or configuration >> > > >> > of the >> > > >> > application is causing it to require additional access. >> > > >> > >> > > >> > Allowing Access: >> > > >> > >> > > >> > You can generate a local policy module to allow this access - see FAQ >> > > >> > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can >> > > >> > disable >> > > >> > SELinux protection altogether. Disabling SELinux protection is not >> > > >> > recommended. >> > > >> > Please file a bug report >> > > >> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> > > >> > against this package. >> > > >> > >> > > >> > Additional Information: >> > > >> > >> > > >> > Source Context system_u:system_r:fail2ban_t:s0 >> > > >> > Target Context system_u:system_r:rpm_t:s0 >> > > >> > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > >> > > >> > 00000000000000000000000000000000000000000000000000 >> > > >> > 0000000000000000 [ unix_stream_socket ] >> > > >> > Source fail2ban-server >> > > >> > Source Path /usr/bin/python >> > > >> > Port <Unknown> >> > > >> > Host localhost.localdomain >> > > >> > Source RPM Packages python-2.5.1-15.fc8 >> > > >> > Target RPM Packages >> > > >> > Policy RPM selinux-policy-3.0.8-95.fc8 >> > > >> > Selinux Enabled True >> > > >> > Policy Type targeted >> > > >> > MLS Enabled True >> > > >> > Enforcing Mode Enforcing >> > > >> > Plugin Name catchall >> > > >> > Host Name localhost.localdomain >> > > >> > Platform Linux localhost.localdomain >> > > >> > 2.6.24.4-64.fc8 #1 SMP >> > > >> > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 >> > > >> > Alert Count 21 >> > > >> > First Seen Mon 14 Apr 2008 10:38:42 PM EDT >> > > >> > Last Seen Mon 14 Apr 2008 10:38:43 PM EDT >> > > >> > Local ID 13bee4e4-ca74-488b-a4df-15f5bf78987f >> > > >> > Line Numbers >> > > >> > >> > > >> > Raw Audit Messages >> > > >> > >> > > >> > host=localhost.localdomain type=AVC msg=audit(1208227123.34:107): avc: >> > > >> > denied { connectto } for pid=6314 comm="fail2ban-server" >> > > >> > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > >> > scontext=system_u:system_r:fail2ban_t:s0 >> > > >> > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > >> > >> > > >> > host=localhost.localdomain type=SYSCALL msg=audit(1208227123.34:107): >> > > >> > arch=c000003e syscall=42 success=no exit=-13 a0=6 a1=7fffe5116700 a2=6e >> > > >> > a3=0 items=0 ppid=1 pid=6314 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 >> > > >> > egid=0 sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" >> > > >> > exe="/usr/bin/python" subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > >> > >> > > >> > >> > > >> > Now that I have SETroubleshoot running i tried the sealert command >> > > >> > suggested in the log files : >> > > >> > >> > > >> > [root@localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> > failed to connect to server: Connection refused >> > > >> > [root@localhost log]# sealert -l 6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2 >> > > >> > query_alerts error (1003): id (6cb9955a-b9cf-470c-87d1-e72bfa4b1fe2) not >> > > >> > found >> > > >> > >> > > >> > Ran it twice, second time it worked. >> > > >> > I hope i'm not confusing anyone , i'll repost the order of events if >> > > >> > need be. I hesitate to file a bug when it could just be me making rookie >> > > >> > mistakes. I will try to reproduce again tomorrow on this box and my >> > > >> > other F8 to see what I can see but if you have any advice it would be >> > > >> > gratefully received. >> > > >> > >> > > >> > >> > > >> > Max >> > > >> > >> > > >> Please send me your /var/log/audit/audit.log >> > > >> >> > > >> -----BEGIN PGP SIGNATURE----- >> > > >> Version: GnuPG v1.4.9 (GNU/Linux) >> > > >> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org >> > > >> >> > > >> iEYEARECAAYFAkgF8xsACgkQrlYvE4MpobN1owCdEbzCCIj7piE2fFt+PgK/nnEW >> > > >> GtgAnRk1OXQzWbBAelxUsa5xR/P5QX6c >> > > >> =ayhr >> > > >> -----END PGP SIGNATURE----- >> > > >> >> > > > Looks like several drafts of my mail hit the list, sorry about that >> > > > but I had to revise once setroubleshoot started working. Strange, i'll >> > > > have to look into it later or maybe its just gmail or thunderbird(time >> > > > to fire up wireshark!!). Anyway I'll send the audit.log from that box >> > > > once I get back to it. Different F8 box(i686), installed fail2ban, >> > > > started service and generated AVC(almost identical) but SETroubleshoot >> > > > doesn't crash like it does on the x86_64 box at least not so far. All >> > > > of the following is from the i686 box , a portion of audit.log follows >> > > > this AVC: >> > > > >> > > > >> > > > Summary: >> > > > >> > > > SELinux is preventing fail2ban-server (fail2ban_t) "connectto" to >> > > > 002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > (rpm_t). >> > > > >> > > > Detailed Description: >> > > > >> > > > SELinux denied access requested by fail2ban-server. It is not expected that this >> > > > access is required by fail2ban-server and this access may signal an intrusion >> > > > attempt. It is also possible that the specific version or configuration of the >> > > > application is causing it to require additional access. >> > > > >> > > > Allowing Access: >> > > > >> > > > You can generate a local policy module to allow this access - see FAQ >> > > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable >> > > > SELinux protection altogether. Disabling SELinux protection is not recommended. >> > > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) >> > > > against this package. >> > > > >> > > > Additional Information: >> > > > >> > > > Source Context system_u:system_r:fail2ban_t >> > > > Target Context system_u:system_r:rpm_t >> > > > Target Objects 002F746D702F66616D2D726F6F742D00000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 00000000000000000000000000000000000000000000000000 >> > > > 0000000000000000 [ unix_stream_socket ] >> > > > Source fail2ban-server >> > > > Source Path /usr/bin/python >> > > > Port <Unknown> >> > > > Host localhost.localdomain >> > > > Source RPM Packages python-2.5.1-15.fc8 >> > > > Target RPM Packages >> > > > Policy RPM selinux-policy-3.0.8-95.fc8 >> > > > Selinux Enabled True >> > > > Policy Type targeted >> > > > MLS Enabled True >> > > > Enforcing Mode Enforcing >> > > > Plugin Name catchall >> > > > Host Name localhost.localdomain >> > > > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP >> > > > Sat Mar 29 09:54:46 EDT 2008 i686 athlon >> > > > Alert Count 26 >> > > > First Seen Wed 16 Apr 2008 08:39:06 AM EDT >> > > > Last Seen Wed 16 Apr 2008 08:39:08 AM EDT >> > > > Local ID ede0cda2-138a-4222-936b-289297d95cee >> > > > Line Numbers >> > > > >> > > > Raw Audit Messages >> > > > >> > > > host=localhost.localdomain type=AVC msg=audit(1208349548.205:47): avc: >> > > > denied { connectto } for pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > >> > > > host=localhost.localdomain type=SYSCALL msg=audit(1208349548.205:47): >> > > > arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bfefa2b0 >> > > > a2=165110 a3=b7f9602c items=0 ppid=1 pid=3045 auid=500 uid=0 gid=0 >> > > > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) >> > > > comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > I am posting a portion of the audit.log relating to fail2ban as the >> > > > entire log is quite large. If you want the whole thing unedited then I >> > > > will attach it. I think this should be more than enough, i didn't >> > > > parse it , just a simple copy and paste. I don't know what you may or >> > > > may not find relevant here so it goes from a couple of entries before >> > > > fail2ban is mentioned and a few after the last mention of fail2ban. >> > > > Most of the entries look identical and end in key=(null) maybe i could >> > > > just dismiss it but i take all the AVC's seriously until I know >> > > > better: >> > > > >> > > > >> > > > type=USER_START msg=audit(1208349505.423:21): user pid=2891 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=AVC msg=audit(1208349546.967:22): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349546.967:22): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349546.976:23): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349546.976:23): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.028:24): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.028:24): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.080:25): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.080:25): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.132:26): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.132:26): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.184:27): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.184:27): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.236:28): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.236:28): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.288:29): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.288:29): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.341:30): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.341:30): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.393:31): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.393:31): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.445:32): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.445:32): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.497:33): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.497:33): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.549:34): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.549:34): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.601:35): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.601:35): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.651:36): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.651:36): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.702:37): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.702:37): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.752:38): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.752:38): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.803:39): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.803:39): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.853:40): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.853:40): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.904:41): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.904:41): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349547.954:42): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349547.954:42): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.004:43): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.004:43): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.054:44): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.054:44): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.105:45): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.105:45): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.155:46): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.155:46): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=AVC msg=audit(1208349548.205:47): avc: denied { connectto } for >> > > > pid=3045 comm="fail2ban-server" >> > > > path=002F746D702F66616D2D726F6F742D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 >> > > > scontext=system_u:system_r:fail2ban_t:s0 >> > > > tcontext=system_u:system_r:rpm_t:s0 tclass=unix_stream_socket >> > > > type=SYSCALL msg=audit(1208349548.205:47): arch=40000003 syscall=102 >> > > > success=no exit=-13 a0=3 a1=bfefa2b0 a2=165110 a3=b7f9602c items=0 >> > > > ppid=1 pid=3045 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > > > sgid=0 fsgid=0 tty=(none) comm="fail2ban-server" exe="/usr/bin/python" >> > > > subj=system_u:system_r:fail2ban_t:s0 key=(null) >> > > > type=USER_AUTH msg=audit(1208350171.618:48): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:authentication acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_ACCT msg=audit(1208350171.620:49): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:accounting acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_START msg=audit(1208350171.650:50): user pid=3098 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/usr/sbin/userhelper" >> > > > (hostname=?, addr=?, terminal=? res=success)' >> > > > type=USER_AUTH msg=audit(1208350461.693:51): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:authentication acct=root exe="/bin/su" (hostname=?, >> > > > addr=?, terminal=pts/1 res=success)' >> > > > type=USER_ACCT msg=audit(1208350461.697:52): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:accounting acct=root exe="/bin/su" (hostname=?, addr=?, >> > > > terminal=pts/1 res=success)' >> > > > type=USER_START msg=audit(1208350461.711:53): user pid=3142 uid=500 >> > > > auid=500 subj=unconfined_u:system_r:unconfined_t:s0-s0:c0.c1023 >> > > > msg='op=PAM:session_open acct=root exe="/bin/su" (hostname=?, addr=?, >> > > > terminal=pts/1 res=success)' >> > > > >> > > > Thanks for the help, >> > > > >> > > This is either a leaked file descriptor or gam_server running as rpm_t. >> > > >> > > ps -eZ | grep rpm_t >> > > >> > > failtoban should not be trying to communicate with a service running >> > > rpm_t. If you find gam_server running as rpm_t kill it and fail2ban >> > > should work. >> > > >> > > >> > [root@localhost ~]# ps -eZ | grep rpm_t >> > system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> > system_u:system_r:rpm_t 2587 ? 00:00:00 gam_server >> > >> > I'll kill the gam_server as you suggest. I will try same on x86_64 box >> > to see if its the same problem. If its not then i will post the >> > audit.log from it that I promised yesterday. Either way I'll post back >> > once i get in front of other f8 box. >> > >> > Thanks again, >> > >> > Max >> > >> I'm not in front of the other box yet but I killed the other instance >> of gam_server and reran the command. >> >> [root@localhost ~]# ps -eZ | grep rpm_t >> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> system_u:system_r:rpm_t 4074 ? 00:00:00 gam_server >> >> it came back right away so I killed it again and rechecked several >> times and now it appears to have finally died. >> [root@localhost ~]# kill 4074 >> >> >> [root@localhost ~]# ps -eZ | grep rpm_t >> system_u:system_r:rpm_t 2585 ? 00:00:00 yum-updatesd >> >> >> Max >> > Gmail is buggy for some reason. I' ll try and keep this coherent. On > the i686 box, after I found and killed gam_server( i had to do it > twice for it to stay dead) I then got a couple more AVC's (posting > AVC's and observations follow): > > SELinux is preventing iptables (iptables_t) "read write" to socket (fail2ban_t). > > Detailed Description: > > SELinux denied access requested by iptables. It is not expected that this access > is required by iptables and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:iptables_t > Target Context system_u:system_r:fail2ban_t > Target Objects socket [ unix_stream_socket ] > Source iptables > Source Path /sbin/iptables > Port <Unknown> > Host localhost.localdomain > Source RPM Packages iptables-1.3.8-6.fc8 > Target RPM Packages > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > Alert Count 12 > First Seen Thu 17 Apr 2008 01:47:41 PM EDT > Last Seen Thu 17 Apr 2008 02:19:47 PM EDT > Local ID b0d85376-fbd1-48a7-8dff-65a0ff3c4148 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35210]" dev=sockfs ino=35210 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35227]" dev=sockfs ino=35227 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208456387.335:77): avc: > denied { read write } for pid=4622 comm="iptables" > path="socket:[35683]" dev=sockfs ino=35683 > scontext=system_u:system_r:iptables_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=SYSCALL msg=audit(1208456387.335:77): > arch=40000003 syscall=11 success=yes exit=0 a0=9a5af50 a1=9a5a998 > a2=9a5afa8 a3=40 items=0 ppid=4571 pid=4622 auid=500 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="iptables" > exe="/sbin/iptables" subj=system_u:system_r:iptables_t:s0 key=(null) > These are leaked file descriptors from fail2ban and should be reported to them. fcntl(fd, F_SETFD, FD_CLOSEXEC) Should be called on all open file descriptors. > > > Ok. That one is about iptables. Soon as I started fail2ban , the log > showed 3 AVC's as above. Stop Fail2ban and three more generated. Did > it twice to see if it was consistent. Started fail2ban twice, each > time I started it generated 3 AVC's as above, same when I stopped it , > generated 3 AVC's per instance. So 12 total. When I stopped Fail2ban, > within a couple of minutes(can't be more exact didn't have a stop > watch) saw a new AVC(only after it stops, observations follow AVC): > > Summary: > > SELinux is preventing gam_server (fail2ban_t) "getattr" to / (fs_t). > > Detailed Description: > > SELinux denied access requested by gam_server. It is not expected that this > access is required by gam_server and this access may signal an intrusion > attempt. It is also possible that the specific version or configuration of the > application is causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:fail2ban_t > Target Context system_u:object_r:fs_t > Target Objects / [ filesystem ] > Source gam_server > Source Path <Unknown> > Port <Unknown> > Host localhost.localdomain > Source RPM Packages > Target RPM Packages filesystem-2.4.11-1.fc8 > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:54:46 EDT 2008 i686 athlon > Alert Count 2 > First Seen Thu 17 Apr 2008 01:52:02 PM EDT > Last Seen Thu 17 Apr 2008 02:20:17 PM EDT > Local ID 9ce8514d-7677-4bb5-a59d-f70c8e8c755f > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208456417.400:78): avc: > denied { getattr } for pid=4573 comm="gam_server" name="/" dev=dm-0 > ino=2 scontext=system_u:system_r:fail2ban_t:s0 > tcontext=system_u:object_r:fs_t:s0 tclass=filesystem > > > Ok. After I stop Fail2ban i get one instance of this AVC related to > gam_server. I started and stopped Fail2ban twice so two AVC's related > to gam_server, once after each time I stop fail2ban. No I don't think > anyone is stupid, just being clear for my sake and yours. Also ran : > ps -eZ | grep rpm_t gam_server still dead. That was on i686 box. BTW > had to kill gam_server twice on x86_64 box for it to stay dead, same > as on i686. The x86_64 box is the same for the iptables AVC. Same > ratio, 3 AVC's generated when starting fail2ban and 3 AVC's when > stopping fail2ban. The difference is that the AVC generated after you > stop fail2ban is related to sendmail(observations follow AVC): > > Summary: > > SELinux is preventing sendmail (system_mail_t) "read write" to socket > (fail2ban_t). > > Detailed Description: > > SELinux denied access requested by sendmail. It is not expected that this access > is required by sendmail and this access may signal an intrusion attempt. It is > also possible that the specific version or configuration of the application is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable > SELinux protection altogether. Disabling SELinux protection is not recommended. > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > against this package. > > Additional Information: > > Source Context system_u:system_r:system_mail_t:s0 > Target Context system_u:system_r:fail2ban_t:s0 > Target Objects socket [ unix_stream_socket ] > Source sendmail > Source Path /usr/sbin/sendmail.sendmail > Port <Unknown> > Host localhost.localdomain > Source RPM Packages sendmail-8.14.2-1.fc8 > Target RPM Packages > Policy RPM selinux-policy-3.0.8-95.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.24.4-64.fc8 #1 SMP > Sat Mar 29 09:15:49 EDT 2008 x86_64 x86_64 > Alert Count 2 > First Seen Thu 17 Apr 2008 08:28:37 PM EDT > Last Seen Thu 17 Apr 2008 08:30:34 PM EDT > Local ID 10c3cca0-4bc2-4fcf-845a-0b0cc2793482 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[22805]" dev=sockfs ino=22805 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[22823]" dev=sockfs ino=22823 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=AVC msg=audit(1208478634.133:31): avc: > denied { read write } for pid=3345 comm="sendmail" > path="socket:[23071]" dev=sockfs ino=23071 > scontext=system_u:system_r:system_mail_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket > > host=localhost.localdomain type=SYSCALL msg=audit(1208478634.133:31): > arch=c000003e syscall=59 success=yes exit=0 a0=8c9860 a1=8c98a0 > a2=8c96f0 a3=37e81529f0 items=0 ppid=3343 pid=3345 auid=500 uid=0 > gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) > comm="sendmail" exe="/usr/sbin/sendmail.sendmail" > subj=system_u:system_r:system_mail_t:s0 key=(null) Leaked file descriptor > > Checked processes on x86_64 no sendmail was or is running. Service > isn't usually running and isn't now. > Looks like a policy bug or both boxes have been tampered with, you > tell me, Sulphur is here so they will get nuked soon enough. The > sendmail bug may explain the strange behavior I have seen out of > Thunderbird and Gmail but sendmail AVC is only generated on x86_64 > box, which incidentally is where I saw wierd behavior out of > Thunderbird but that may be separate issue, I don't think there is > enough evidence yet to make that conclusion despite my feeling that it > is related, i'll just have to keep my eyes peeled. I would file a bug > report but I'd like to understand this first so I might suggest, even > if I can't code, a fix but if you have to explain it ...the bug would > end up being read by someone that subscribes to this list so.....let > me know, I will file it if you ask me to. If logs, etc are needed I > will supply them but if its a genuine bug it should be easily > reproducible in under 30 minutes. I checked for processes running as > fs_t and system_mail_t before, during, and after starting/stopping > fail2ban on x86_64 box, I don't see anything. I feel like i am > forgetting something, anyway let me know about the bug report or if > you want more logs etc... > > Thanks, > > Max The problems reported are in fail2ban except for the gam_server problem. I will add fixes in the next update for Fedora 8 selinux-policy-3.0.8-101 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkgM76MACgkQrlYvE4MpobNrGwCfXl9F8ypMLfql6is9LjjDzfkm vY8AmgI2f9X78n0y2sWr81R//JIfKUgh =9y0s -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
