On 11/04/2016 10:05 AM, Lukas Vrabec wrote:
> On 11/03/2016 04:03 PM, lejeczek wrote:
>>
>>
>> On 03/11/16 01:28, Simon Sekidde wrote:
>>>
>>> ----- Original Message -----
>>>> From: "lejeczek" <peljasz@xxxxxxxxxxx>
>>>> To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> Sent: Wednesday, November 2, 2016 6:30:30 PM
>>>> Subject: fail2ban to rpm??
>>>>
>>>> hi everybody
>>>> on my one system I see something weir...
>>>>
>>>> setroubleshoot[58420]: SELinux is preventing
>>>> /usr/bin/python2.7 from getattr access on the file
>>>> /usr/bin/rpm. For complete SELinux messages. run sealert -l
>>>> 892542a6-b3ea-48eb-b76f-cadffdbdbb84
>>>> Nov 02 22:21:27 rider.private.ccnr.ceb.private.cam.ac.uk
>>>> python[58420]: SELinux is preventing /usr/bin/python2.7 from
>>>> getattr access on the file /usr/bin/rpm.
>>>>
>>>> Source Context
>>>> system_u:system_r:fail2ban_client_t:s0
>>>> Target Context system_u:object_r:rpm_exec_t:s0
>>>> Target Objects /usr/bin/rpm [ file ]
>>>> Source fail2ban-client
>>>> Source Path /usr/bin/python2.7
>>>>
>>>> fail2ban wants to run rpm ???
>>>> unless some binaries I have mislabelled this would be
>>>> suspicious, no?? What do you think?
>>> Do you know how this warning was triggered?
>>> We only allow this permission for rpm files in the /tmp dir
>> it was an attempt to systemctl start fail2ban, but I .autorelabeled and
>> it does not appear to be a problem any more, so maybe just wrong
>> selabels somewhere.
If you see this issue again, we can ask fail2ban folks what is going on
here. I don't think it was labeling issue.
system_u:system_r:fail2ban_client_t:s0
Target Context system_u:object_r:rpm_exec_t:s0
Target Objects /usr/bin/rpm [ file ]
It tells me that the /usr/bin/rpm binary was really executed and with
correct labeling and it was executed but fail2ban_client_t.
Thank you.
>>
>>>
>>>> THXALOT
>>>> L.
>>>> _______________________________________________
>>>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>>>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>>>>
>> _______________________________________________
>> selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
>> To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
>
> I see allow rule in Fedora 24:
>
> $ sesearch -A -s fail2ban_t -t rpm_exec_t
> Found 2 semantic av rules:
> allow fail2ban_t file_type : filesystem getattr ;
> allow fail2ban_t rpm_exec_t : file { ioctl read getattr lock execute
> execute_no_trans open } ;
>
>
> I believe it was caused by wrong labels on your system.
>
> Thank you,
> Lukas.
>
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
