I'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
I am installing and configuring ipset as an addition to fail2ban, which I have been running successfully for some time.
I expected some complaints from selinux so I have set permissive mode and the first run of fail2ban produces this audit.log when ipset tries to run to insert a ban:
type=AVC msg=audit(1379280989.345:21513): avc: denied { create } for pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
I create fail2ban.te: # cat /var/log/audit/audit.log | audit2allow -m fail2ban > fail2ban.te
Which looks like this: module fail2ban 1.0;
require { type fail2ban_t; class netlink_socket { bind create getattr }; }
#============= fail2ban_t ============== allow fail2ban_t self:netlink_socket { bind create getattr };
Foe the record I have done these: # checkmodule -M -m -o fail2ban.mod fail2ban.te checkmodule: loading policy configuration from fail2ban.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 15) to fail2ban.mod # semodule_package -o fail2ban.pp -m fail2ban.mod
But the install FAILS: # semodule --verbose -i fail2ban.pp Attempting to install module 'fail2ban.pp': Ok: return value of 0. Committing changes: libsepol.print_missing_requirements: fail2ban-client's global requirements were not met: type/attribute fail2ban_var_run_t libsemanage.semanage_link_sandbox: Link packages failed semodule: FaiI'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
I am installing and configuring ipset as an addition to fail2ban, which I have been running successfuly for some time.
I expected some complaints from selinux so I have set permissive mode and the first run of fail2ban produces this audit.log:
type=AVC msg=audit(1379280989.345:21513): avc: denied { create } for pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
I create fail2ban.te: # cat /var/log/audit/audit.log | audit2allow -m local > fail2ban.te
Which looks like this: module fail2ban 1.0;
require { type fail2ban_t; class netlink_socket { bind create getattr }; }
#============= fail2ban_t ============== allow fail2ban_t self:netlink_socket { bind create getattr };
Foe the record I have done these: # checkmodule -M -m -o fail2ban.mod fail2ban.te checkmodule: loading policy configuration from fail2ban.te checkmodule: policy configuration loaded checkmodule: writing binary representation (version 15) to fail2ban.mod # semodule_package -o fail2ban.pp -m fail2ban.mod
But this FAILS: # semodule --verbose -i fail2ban.pp Attempting to install module 'fail2ban.pp': Ok: return value of 0. Committing changes: libsepol.print_missing_requirements: fail2ban-client's global requirements were not met: type/attribute fail2ban_var_run_t libsemanage.semanage_link_sandbox: Link packages failed semodule: Failed!
However: # seinfo --type=fail2ban_var_run_t fail2ban_var_run_t
I see no requirement for fail2ban_var_run_t in fail2ban.te!
I have previously compiled and installed this: module fail2ban-client 1.0;
require { type httpd_log_t; type fail2ban_var_run_t; type fail2ban_client_t; class dir { read write search }; }
#============= fail2ban_client_t ============== allow fail2ban_client_t fail2ban_var_run_t:dir write; allow fail2ban_client_t httpd_log_t:dir read; allow fail2ban_client_t httpd_log_t:dir search;
Which compiles and installs without a problem!
What am I missing?
TIA Charles Bradshawled!
However seinfo says: # seinfo --type=fail2ban_var_run_t fail2ban_var_run_t
I don't see any requirement for fail2ban_var_run_t in the above!
I have previously installed fail2ban-client which allows fail2ban to monitor /var/log/httpd/access_log and write to its own log: module fail2ban-client 1.0;
require { type httpd_log_t; type fail2ban_var_run_t; type fail2ban_client_t; class dir { read write search }; }
#============= fail2ban_client_t ============== allow fail2ban_client_t fail2ban_var_run_t:dir write; allow fail2ban_client_t httpd_log_t:dir read; allow fail2ban_client_t httpd_log_t:dir search;
Which compiles and installs without a problem! NB fail2ban-client.te contains type fail2ban_var_run_t
What am I missing?
TIA Charles Bradshaw
On Sun, 2013-09-15 at 23:44 +0100, Charles Bradshaw wrote: <snip>
type=AVC msg=audit(1379280989.345:21513): avc: denied { create } for pid=4270 comm="ipset" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=netlink_socket
<snip>
libsepol.print_missing_requirements: fail2ban-client's global requirements were not met: type/attribute fail2ban_var_run_t libsemanage.semanage_link_sandbox: Link packages failed semodule: FaiI'm running Fedora 17, kernel 3.9.10-100.fc17.i686.PAE
<snip>
I see no requirement for fail2ban_var_run_t in fail2ban.te!
I have previously compiled and installed this: module fail2ban-client 1.0;
require { type httpd_log_t; type fail2ban_var_run_t; type fail2ban_client_t; class dir { read write search }; }
#============= fail2ban_client_t ============== allow fail2ban_client_t fail2ban_var_run_t:dir write; allow fail2ban_client_t httpd_log_t:dir read; allow fail2ban_client_t httpd_log_t:dir search;
hehe yes lets bisect this for a second, shall we?
1. So the base fail2ban module has some bugs 2. On of the bugs is that it doesnt support the fail2ban client, and so you aptly create a module called fail2ban-client to add support for the client which requires type fail2ban_var_run_t ( a type that is declared in the base fail2ban module ), so far so good 3. then later things start to go wrong. You identify another bug in the base fail2ban module and decide to create a module called fail2ban with the fix
Now the latest fail2ban module fails. But the message says it fails on the fail2ban-client
So whats going on here? well its pretty simple.
Your latest module has the same name as the base fail2ban module, so by trying to install it you are trying to overwrite the existing fail2ban module. Which has the fail2ban_var_run_t type declared. Thus it cannot install it because the fail2ban-client module depends on it!
so it fails and tells you: hey i cant do this because the fail2ban-client module depends on type fail2ban_var_run_t type which doesnt exist
So the fix is to give your latest fail2ban mod a unique name so that it doesnt overwrite the base fail2ban module (example myfail2ban).
Think modular, think dependency. Theres also this concept of "optional_policy" that helps address dependency issues in modular policy
basically policy in optional_policy blocks are only used if possible , and if not possible will just be ignored (e.g. there wont be an hard dependency on policy inside the optional policy blocks)
selinux@lists.fedoraproject.org