fail2ban with ipset fails when selinux enforceing?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE

I am configuring ipset as an addition to fail2ban which I have had working for some time.

I have this fail2ban-fixes.te compiled and installed:
module fail2ban-fixes 1.02;

# created using:
# cat /var/log/audit/audit.log | audit2allow -m local > local.te
# and moving local.te here.
#
# Modification:
# 1.00 May 28 2013 fail2ban_client_t
# 1.01 Jun 15 2013 logrotate_t
# 1.02 Sep 16 2013 fail2ban_t

# 1.00 - allow fail2ban client access to http logs
#
require {
	type httpd_log_t;
	type fail2ban_var_run_t;
	type fail2ban_client_t;
	class di31.7.144.66r { read write search };
}

#============= fail2ban_client_t ==============
allow fail2ban_client_t fail2ban_var_run_t:dir write;
allow fail2ban_client_t httpd_log_t:dir read;
allow fail2ban_client_t httpd_log_t:dir search;

# 1.01 - allow fail2ban logrotate
#
require {
	type logrotate_t;
	type fail2ban_client_exec_t;
	class file { read execute open };
}

#============= logrotate_t ==============
allow logrotate_t fail2ban_client_exec_t:file { read execute };

# 1.02 allow fail2ban access to ipset NOT WORKING when enforcing !
# 
require {
	type fail2ban_t;
	class netlink_socket { bind create getattr };
        class capability net_admin;
}

#============= fail2ban_t ==============
allow fail2ban_t self:netlink_socket { bind create getattr };
allow fail2ban_t self:capability net_admin;

All of the above have been created using audit2allow.

The last block of the above, 'fail2ban_t', is necessary to get ipset to work the previous were 
necessary to allow the fail2ban client. 

As long as I am in permissive mode there are NO failed records in /var/log/audit/audit.log and 
'nothing to do' reported by audit2allow.

The ipset command is:
ipset --test fail2ban-forum 198.143.143.5 || ipset --add fail2ban-forum 198.143.143.5
and the correct entry is made to the hash:ip set fail2ban-forum. (that is as long as we are permissive) 

However, when enforcing is enabled the fail2ban.log contains errors like this:
2013-09-16 21:32:24,750 fail2ban.actions.action: ERROR  ipset --test fail2ban-forum 198.143.143.5 ||  ipset --add fail2ban-forum 198.143.143.5 returned 100

I can, of course, execute the ipset commands as root when enforcing.

Here's the problem:
There is nothing in /var/log/audit/audit.log or /var/log/messages to diagnose the nature of the error!

Where is the bug? selinux or ipset or somewhere else?
How do I debug the problem?

Any clues much appreciated. I am cross posting this to the fail2ban list.

TIA Charles Bradshaw



--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux