On 09/07/13 14:55, Ed Greshko wrote: > On 07/09/13 21:33, Tristan Santore wrote: >> That appears to be a bug. It should allow: >> allow fail2ban_client_t fail2ban_var_run_t:dir write; >> >> Not so sure why it would want to access admin_home_t though. >> >> >> Create a policy with that line in. And yes, it is a bug. Because >> /var/run/fail2ban.* all files >> system_u:object_r:fail2ban_var_run_t:s0 is labelled. >> I haven't got fail2ban installed here, but it should allow it to create >> the pid file and socket. You might find after that the access to the >> socket also gets blocked. So fix the one issue, then check the audit log >> again. >> >> Make sure you please file a bug on bugzilla.redhat.com against the >> selinux-policy package. > > OK, I went ahead and did the usual > > grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban > > and it now starts in enforcing mode. > > I don't use fail2ban myself. I was just helping someone else. > > Now, to write the bugzilla. > > Thanks, > Ed > I am not sure the root home dir search should be allowed. Might be worth throwing that one out and just trying the one line I gave you. Anyway, glad it works. Regards, Tristan -- Tristan Santore BSc MBCS TS4523-RIPE Network and Infrastructure Operations InterNexusConnect Mobile +44-78-55069812 Tristan.Santore@xxxxxxxxxxxxxxxxxxxxx Former Thawte Notary (Please note: Thawte has closed its WoT programme down, and I am therefore no longer able to accredit trust) For Fedora related issues, please email me at: TSantore@xxxxxxxxxxxxxxxxx -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
