Re: Selinux & Fail2Ban

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, 2009-12-08 at 21:57 +0100, Dominick Grift wrote:

> > So what do you think?
> > 
> > Am I on the right track?
> 
> Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };", signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those avc denials and/or silence them:

What exactly *is* a "leaked file descriptor"?


> echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
> echo "optional_policy(\`" >> myfail2ban.te;
> echo "gen_require(\`" >> myfail2ban.te;
> echo "attribute domain;" >> myfail2ban.te;
> echo "type fail2ban_t;" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
> echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;

OK - Thanks for this. It's not the way I'm used to generating local
policies and I think there may be an error? Once all the lines are
echo'd into myfail2ban.te this is what I get:
# cat myfail2ban.te

policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
\')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
\')

Which won't compile: 
> make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> sudo semodule -i myfail2ban.pp
Gives:

# make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
Compiling targeted myfail2ban module
/usr/bin/checkmodule:  loading policy configuration from
tmp/myfail2ban.tmp
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on line
3214:
\
#line 2
/usr/bin/checkmodule:  policy configuration loaded
/usr/bin/checkmodule:  writing binary representation (version 10) to
tmp/myfail2ban.mod
Creating targeted myfail2ban.pp policy package
rm tmp/myfail2ban.mod.fc tmp/myfail2ban.mod


I'm not exactly sure what you had in mind otherwise I would edit it to
work...


But thanks again. I do appreciate your help!

Mark

Attachment: signature.asc
Description: This is a digitally signed message part

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux