On 07/09/13 21:33, Tristan Santore wrote: > That appears to be a bug. It should allow: > allow fail2ban_client_t fail2ban_var_run_t:dir write; > > Not so sure why it would want to access admin_home_t though. > > > Create a policy with that line in. And yes, it is a bug. Because > /var/run/fail2ban.* all files > system_u:object_r:fail2ban_var_run_t:s0 is labelled. > I haven't got fail2ban installed here, but it should allow it to create > the pid file and socket. You might find after that the access to the > socket also gets blocked. So fix the one issue, then check the audit log > again. > > Make sure you please file a bug on bugzilla.redhat.com against the > selinux-policy package. OK, I went ahead and did the usual grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban and it now starts in enforcing mode. I don't use fail2ban myself. I was just helping someone else. Now, to write the bugzilla. Thanks, Ed -- The only thing worse than a poorly asked question is a cryptic answer. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
