On 09/07/13 13:29, Ed Greshko wrote: > Hi, > > On F19 the service fail2ban won't start via systemd with selinux in enforcing mode. > > The error in the message log indicates.... > > fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing > > But, if you execute the command in the service file from the command line.... > > [root@f18x log]# /usr/bin/fail2ban-client -x start > 2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10 > 2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode > > It starts and you can see the files created in /var/run/fail2ban > > [root@f18x fail2ban]# pwd > /var/run/fail2ban > [root@f18x fail2ban]# ls > fail2ban.pid fail2ban.sock > > > And if you put selinux in permissive mode.... > > [root@f18x fail2ban]# pwd > /var/run/fail2ban > [root@f18x fail2ban]# ls > [root@f18x fail2ban]# setenforce 0 > [root@f18x fail2ban]# systemctl start fail2ban > [root@f18x fail2ban]# ls > fail2ban.pid fail2ban.sock > > So it is running with selinux placed in permissive mode..... > > But, no AVC are ever thrown to the audit log. > > How to figure out what is the culprit? > > > Firstly, as I do not have a F19 handy at the moment, did you try restorecon ? Secondly you might have to disable don't audit using semodule -DB to get audit messages. Then you should see some denials, if fail2ban has a don't audit option in the policy. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
