No subject


Sat Jul 3 11:09:00 UTC 2010 

its files open during startup. So the AVC messages below are expected. How
do I get rid of them? I don't want to do a simple audit2allow since that the
refpolicy at
http://oss.tresys.com/files/refpolicy/refpolicy-2.20100524.tar.bz2 has a
fail2ban module.

 I was hoping to compile and install that module. Except the make file
inside refpolicy-2.20100524.tar.bz2 doesn't have a 'modules' target.

 How can I compile just the modules and install fail2ban.pp? Or should I
just install the entire policy? How do I switch between the
selinux-policy-default and refpolicy-2.20100524? How do I upgrade policies
as new ones become available?

Here are the fail2ban related messages:

type=AVC msg=audit(1278867733.145:21): avc:  denied  { append } for
pid=4825 comm="iptables" path="/var/log/fail2ban.log" dev=xvda ino=10969
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:var_log_t:s0 tclass=file

type=AVC msg=audit(1278915901.876:23): avc:  denied  { search } for
pid=5110 comm="logrotate" name="root" dev=xvda ino=8194
scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:unconfined_home_dir_t:s0 tclass=dir


However I'm pretty unsure of what  AVC denials below are about. Why is
"modprobe" being used here? Does this mean fail2ban is trying to use
modprobe? Why would this be the case? How can I find out more about these
messages?

type=AVC msg=audit(1278902853.550:22): avc:  denied  { read write } for
pid=5076 comm="modprobe" path="socket:[15830]" dev=sockfs ino=15830
scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:system_r:iptables_t:s0 tclass=rawip_socket

type=AVC msg=audit(1278927564.162:24): avc:  denied  { read write } for
pid=5202 comm="modprobe" path="socket:[6651]" dev=sockfs ino=6651
scontext=system_u:system_r:insmod_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

--0016e6541b0091205d048b379ee3
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,<br><br>I was looking at the AVC audit log and I noticed fail2ban comes =
up.<br><br>I&#39;m using Debian 5 with kenrel 2.6.26-2-xen-686 on a Linode =
VPS<br><br><br>From reading around on Google I know that fail2ban has issue=
s with leaving its files open during startup. So the AVC messages below are=
 expected. How do I get rid of them? I don&#39;t want to do a simple audit2=
allow since that the refpolicy at <a href=3D"http://oss.tresys.com/files/re=
fpolicy/refpolicy-2.20100524.tar.bz2">http://oss.tresys.com/files/refpolicy=
/refpolicy-2.20100524.tar.bz2</a> has a fail2ban module.<br>
<br>=A0I was hoping to compile and install that module. Except the make fil=
e inside refpolicy-2.20100524.tar.bz2 doesn&#39;t have a &#39;modules&#39; =
target.<br><br>=A0How can I compile just the modules and install fail2ban.p=
p? Or should I just install the entire policy? How do I switch between the =
selinux-policy-default and refpolicy-2.20100524? How do I upgrade policies =
as new ones become available?<br>
<br>Here are the fail2ban related messages:<br><br><span style=3D"font-fami=
ly: courier new,monospace;">type=3DAVC msg=3Daudit(1278867733.145:21): avc:=
=A0 denied=A0 { append } for=A0 pid=3D4825 comm=3D&quot;iptables&quot; path=
=3D&quot;/var/log/fail2ban.log&quot; dev=3Dxvda ino=3D10969 scontext=3Dsyst=
em_u:system_r:iptables_t:s0 tcontext=3Dsystem_u:object_r:var_log_t:s0 tclas=
s=3Dfile</span><br style=3D"font-family: courier new,monospace;">
<br style=3D"font-family: courier new,monospace;"><span style=3D"font-famil=
y: courier new,monospace;">type=3DAVC msg=3Daudit(1278915901.876:23): avc:=
=A0 denied=A0 { search } for=A0 pid=3D5110 comm=3D&quot;logrotate&quot; nam=
e=3D&quot;root&quot; dev=3Dxvda ino=3D8194 scontext=3Dsystem_u:system_r:log=
rotate_t:s0-s0:c0.c1023 tcontext=3Dunconfined_u:object_r:unconfined_home_di=
r_t:s0 tclass=3Ddir</span><br>
<br><br>However I&#39;m pretty unsure of what=A0 AVC denials below are abou=
t. Why is &quot;modprobe&quot; being used here? Does this mean fail2ban is =
trying to use modprobe? Why would this be the case? How can I find out more=
 about these messages?<br>
<br><span style=3D"font-family: courier new,monospace;">type=3DAVC msg=3Dau=
dit(1278902853.550:22): avc:=A0 denied=A0 { read write } for=A0 pid=3D5076 =
comm=3D&quot;modprobe&quot; path=3D&quot;socket:[15830]&quot; dev=3Dsockfs =
ino=3D15830 scontext=3Dsystem_u:system_r:insmod_t:s0 tcontext=3Dsystem_u:sy=
stem_r:iptables_t:s0 tclass=3Drawip_socket</span><br style=3D"font-family: =
courier new,monospace;">
<br style=3D"font-family: courier new,monospace;"><span style=3D"font-famil=
y: courier new,monospace;">type=3DAVC msg=3Daudit(1278927564.162:24): avc:=
=A0 denied=A0 { read write } for=A0 pid=3D5202 comm=3D&quot;modprobe&quot; =
path=3D&quot;socket:[6651]&quot; dev=3Dsockfs ino=3D6651 scontext=3Dsystem_=
u:system_r:insmod_t:s0 tcontext=3Dsystem_u:system_r:initrc_t:s0 tclass=3Dun=
ix_stream_socket</span><br>
<br><br>

--0016e6541b0091205d048b379ee3--

More information about the Selinux-user mailing list