Re: service not starting via systemd but no AVCs are generated

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/09/13 22:02, Tristan Santore wrote:
> On 09/07/13 14:55, Ed Greshko wrote:
>> On 07/09/13 21:33, Tristan Santore wrote:
>>> That appears to be a bug. It should allow:
>>> allow fail2ban_client_t fail2ban_var_run_t:dir write;
>>>
>>> Not so sure why it would want to access admin_home_t though.
>>>
>>>
>>> Create a policy with that line in. And yes, it is a bug. Because
>>> /var/run/fail2ban.*                                all files
>>> system_u:object_r:fail2ban_var_run_t:s0 is labelled.
>>> I haven't got fail2ban installed here, but it should allow it to create
>>> the pid file and socket. You might find after that the access to the
>>> socket also gets blocked. So fix the one issue, then check the audit log
>>> again.
>>>
>>> Make sure you please file a bug on bugzilla.redhat.com against the
>>> selinux-policy package.
>> OK, I went ahead and did the usual
>>
>> grep fail2ban /var/log/audit/audit.log | audit2allow -M myfail2ban
>>
>> and it now starts in enforcing mode.
>>
>> I don't use fail2ban myself.  I was just helping someone else.
>>
>> Now, to write the bugzilla.  
>>
>> Thanks,
>> Ed
>>
> I am not sure the root home dir search should be allowed. Might be worth
> throwing that one out and just trying the one line I gave you.
>
> Anyway, glad it works.

FYI....

There appears to be a bugzilla already open on this issue....

https://bugzilla.redhat.com/show_bug.cgi?id=975695

Thanks,
Ed

-- 
The only thing worse than a poorly asked question is a cryptic answer.
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux