Re: service not starting via systemd but no AVCs are generated

Tristan Santore <tristan.santore@xxxxxxxxxxxxxxxxxxxxx> · Tue, 09 Jul 2013 14:33:21 +0100

On 09/07/13 14:06, Ed Greshko wrote:
> type=AVC msg=audit(1373375036.941:752): avc:  denied  { search } for  pid=3806 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1373375036.946:753): avc:  denied  { rlimitinh } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375036.946:753): avc:  denied  { siginh } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375036.946:753): avc:  denied  { noatsecure } for  pid=3808 comm="setroubleshootd" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tclass=process
> type=AVC msg=audit(1373375037.385:754): avc:  denied  { write } for  pid=3808 comm="setroubleshootd" name=".dbenv.lock" dev="dm-1" ino=1048913 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=file
> type=AVC msg=audit(1373375037.454:755): avc:  denied  { write } for  pid=3806 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375037.599:759): avc:  denied  { search } for  pid=3814 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1373375038.114:760): avc:  denied  { write } for  pid=3814 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375038.257:764): avc:  denied  { search } for  pid=3816 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1373375038.872:765): avc:  denied  { write } for  pid=3816 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375039.013:769): avc:  denied  { search } for  pid=3818 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1373375039.578:770): avc:  denied  { write } for  pid=3818 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
> type=AVC msg=audit(1373375039.716:774): avc:  denied  { search } for  pid=3820 comm="fail2ban-client" name="root" dev="dm-1" ino=1310721 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir
> type=AVC msg=audit(1373375040.246:775): avc:  denied  { write } for  pid=3820 comm="fail2ban-client" name="fail2ban" dev="tmpfs" ino=28732 scontext=system_u:system_r:fail2ban_client_t:s0 tcontext=system_u:object_r:fail2ban_var_run_t:s0 tclass=dir
That appears to be a bug. It should allow:
allow fail2ban_client_t fail2ban_var_run_t:dir write;

Not so sure why it would want to access admin_home_t though.

Create a policy with that line in. And yes, it is a bug. Because
/var/run/fail2ban.*                                all files
system_u:object_r:fail2ban_var_run_t:s0 is labelled.
I haven't got fail2ban installed here, but it should allow it to create
the pid file and socket. You might find after that the access to the
socket also gets blocked. So fix the one issue, then check the audit log
again.

Make sure you please file a bug on bugzilla.redhat.com against the
selinux-policy package.

Regards,
Tristan

-- 

Tristan Santore BSc MBCS
TS4523-RIPE
Network and Infrastructure Operations
InterNexusConnect
Mobile +44-78-55069812
Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx

Former Thawte Notary
(Please note: Thawte has closed its WoT programme down,
and I am therefore no longer able to accredit trust)

For Fedora related issues, please email me at:
TSantore@xxxxxxxxxxxxxxxxx
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux