Fail2Ban

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello all,

Following a spate of unsuccessful but irritating attempts to brute-force my
home Fedora 9 server I decided to install fail2ban (using yum).

Starting it up gave me several AVCs of two types. One example of each type is
pasted below.

Running audit2allow gave me the following policy. I have implemented the
policy, and it works, but should it be necessary? I have googled a bit and
found a couple of old bug reports but I'm not sure they're relevant and I
think they have been incorporated into more recent policies anyway...

policy_module(myfail2ban, 9.1.0)

require {
        type iptables_t;
        type system_mail_t;
        type fail2ban_t;
        class unix_stream_socket { read write };
}

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };


Does that look OK? Is there a bool I could have set?

Thanks for your help...

Mark


2 x AVCs
========


>From SELinux_Troubleshoot@xxxxxxxxxxxx Thu Jun 25 19:19:30 2009
Return-Path: <SELinux_Troubleshoot@xxxxxxxxxxxx>
Received: from mydomain.com (mydomain.com [127.0.0.1])
	by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJUBI003995
	for <root@localhost>; Thu, 25 Jun 2009 19:19:30 +0100
Message-Id: <200906251819.n5PIJUBI003995@xxxxxxxxxxxx>
Content-Type: multipart/alternative; boundary="===============1813742656=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing iptables (iptables_t) "read
	write" fail2ban_t.
From: SELinux_Troubleshoot@xxxxxxxxxxxx
To: root@xxxxxxxxxxxx
Date: Thu, 25 Jun 2009 18:19:30 -0000
Status: RO
Content-Length: 10088
Lines: 157

--===============1813742656==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


Summary:

SELinux is preventing iptables (iptables_t) "read write" fail2ban_t.

Detailed Description:

SELinux denied access requested by iptables. It is not expected that this access
is required by iptables and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:iptables_t:s0
Target Context                unconfined_u:system_r:fail2ban_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        iptables
Source Path                   /sbin/iptables
Port                          <Unknown>
Host                          mydomain.com
Source RPM Packages           iptables-1.4.1.1-2.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-133.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     mydomain.com
Platform                      Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
                              Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   9
First Seen                    Tue Jun 23 14:12:58 2009
Last Seen                     Thu Jun 25 19:19:20 2009
Local ID                      8291512a-d501-4af1-9e24-25d2052bf649
Line Numbers                  

Raw Audit Messages            

node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc:  denied  { read write } for  pid=3974 comm="iptables" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc:  denied  { read write } for  pid=3974 comm="iptables" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=mydomain.com type=AVC msg=audit(1245953960.354:478): avc:  denied  { read write } for  pid=3974 comm="iptables" path="socket:[22072]" dev=sockfs ino=22072 scontext=unconfined_u:system_r:iptables_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=mydomain.com type=SYSCALL msg=audit(1245953960.354:478): arch=40000003 syscall=11 success=yes exit=0 a0=8cd7978 a1=8cd7cb8 a2=8cd7e38 a3=0 items=0 ppid=3969 pid=3974 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" subj=unconfined_u:system_r:iptables_t:s0 key=(null)


--===============1813742656==--

>From SELinux_Troubleshoot@xxxxxxxxxxxx Thu Jun 25 19:19:31 2009
Return-Path: <SELinux_Troubleshoot@xxxxxxxxxxxx>
Received: from mydomain.com (mydomain.com [127.0.0.1])
	by mydomain.com (8.14.2/8.14.2) with ESMTP id n5PIJVHv003998
	for <root@localhost>; Thu, 25 Jun 2009 19:19:31 +0100
Message-Id: <200906251819.n5PIJVHv003998@xxxxxxxxxxxx>
Content-Type: multipart/alternative; boundary="===============0749694059=="
MIME-Version: 1.0
Subject: [SELinux AVC Alert] SELinux is preventing sendmail (system_mail_t)
	"read write" fail2ban_t.
From: SELinux_Troubleshoot@xxxxxxxxxxxx
To: root@xxxxxxxxxxxx
Date: Thu, 25 Jun 2009 18:19:31 -0000
Status: RO
Content-Length: 9500
Lines: 151

--===============0749694059==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit


Summary:

SELinux is preventing sendmail (system_mail_t) "read write" fail2ban_t.

Detailed Description:

SELinux denied access requested by sendmail. It is not expected that this access
is required by sendmail and this access may signal an intrusion attempt. It is
also possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                unconfined_u:system_r:system_mail_t:s0
Target Context                unconfined_u:system_r:fail2ban_t:s0
Target Objects                socket [ unix_stream_socket ]
Source                        sendmail
Source Path                   /usr/sbin/sendmail.sendmail
Port                          <Unknown>
Host                          mydomain.com
Source RPM Packages           sendmail-8.14.2-4.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-133.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     mydomain.com
Platform                      Linux mydomain.com 2.6.26.6-79.fc9.i686 #1 SMP
                              Fri Oct 17 14:52:14 EDT 2008 i686 i686
Alert Count                   3
First Seen                    Tue Jun 23 14:12:59 2009
Last Seen                     Thu Jun 25 19:19:20 2009
Local ID                      18e4bfc0-cbb2-41a6-af2c-8b271450ed73
Line Numbers                  

Raw Audit Messages            

node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc:  denied  { read write } for  pid=3980 comm="sendmail" path="socket:[21986]" dev=sockfs ino=21986 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=mydomain.com type=AVC msg=audit(1245953960.510:479): avc:  denied  { read write } for  pid=3980 comm="sendmail" path="socket:[22005]" dev=sockfs ino=22005 scontext=unconfined_u:system_r:system_mail_t:s0 tcontext=unconfined_u:system_r:fail2ban_t:s0 tclass=unix_stream_socket

node=mydomain.com type=SYSCALL msg=audit(1245953960.510:479): arch=40000003 syscall=11 success=yes exit=0 a0=8908a90 a1=8908aa8 a2=8908d88 a3=0 items=0 ppid=3978 pid=3980 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=51 sgid=51 fsgid=51 tty=(none) ses=4294967295 comm="sendmail" exe="/usr/sbin/sendmail.sendmail" subj=unconfined_u:system_r:system_mail_t:s0 key=(null)


--===============0749694059==


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux