On 07/09/13 22:02, Tristan Santore wrote: > On 09/07/13 14:55, Ed Greshko wrote: >> On 07/09/13 21:33, Tristan Santore wrote: >>> That appears to be a bug. It should allow: >>> allow fail2ban_client_t fail2ban_var_run_t:dir write; >>> >>> Not so sure why it would want to access admin_home_t though. >>> >>> >>> Create a policy with that line in. And yes, it is a bug. Because >>> /var/run/fail2ban.* all files >>> system_u:object_r:fail2ban_var_run_t:s0 is labelled. >>> I haven't got fail2ban installed here, but it should allow it to create >>> the pid file and socket. You might find after that the access to the >>> socket also gets blocked. So fix the one issue, then check the audit log >>> again. >>> >>> Make sure you please file a bug on bugzilla.redhat.com against the >>> selinux-policy package. >> OK, I went ahead and did the usual >> >> grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban >> >> and it now starts in enforcing mode. >> >> I don't use fail2ban myself. I was just helping someone else. >> >> Now, to write the bugzilla. >> >> Thanks, >> Ed >> > I am not sure the root home dir search should be allowed. Might be worth > throwing that one out and just trying the one line I gave you. > > Anyway, glad it works. FYI.... There appears to be a bugzilla already open on this issue.... https://bugzilla.redhat.com/show_bug.cgi?id=975695 Thanks, Ed -- The only thing worse than a poorly asked question is a cryptic answer. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
