On Tue, Dec 08, 2009 at 09:15:48PM +0000, Arthur Dent wrote:
On Tue, 2009-12-08 at 21:57 +0100, Dominick Grift wrote:
> > So what do you think?
> >
> > Am I on the right track?
>
> Yes "allow system_mail_t fail2ban_t:unix_stream_socket { read write };",
signals a leaked file descriptor on fail2ban. This issue is known. You can ignore those
avc denials and/or silence them:
What exactly *is* a "leaked file descriptor"?
> echo "policy_module(myfail2ban, 1.0.0)" > myfail2ban.te;
> echo "optional_policy(\`" >> myfail2ban.te;
> echo "gen_require(\`" >> myfail2ban.te;
> echo "attribute domain;" >> myfail2ban.te;
> echo "type fail2ban_t;" >> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
> echo "dontaudit domain fail2ban_t:unix_stream_socket { read write };"
>> myfail2ban.te;
> echo "\')" >> myfail2ban.te;
OK - Thanks for this. It's not the way I'm used to generating local
policies and I think there may be an error? Once all the lines are
echo'd into myfail2ban.te this is what I get:
# cat myfail2ban.te
policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
\')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
\')
Your myfail2ban.te file should look like this:
policy_module(myfail2ban, 11.2.1)
optional_policy(`
gen_require(`
attribute domain;
type fail2ban_t;
')
dontaudit domain fail2ban_t:unix_stream_socket { read write };
')
A leaked file descriptor is a programming error it is where the programmer forgot to close
a file descriptor (bug in fail2ban)
Which won't compile:
> make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
> sudo semodule -i myfail2ban.pp
Gives:
# make -f /usr/share/selinux/devel/Makefile myfail2ban.pp
Compiling targeted myfail2ban module
/usr/bin/checkmodule: loading policy configuration from
tmp/myfail2ban.tmp
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on
line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on
line
3214:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on
line
3204:
\
#line 2
myfail2ban.te":2:WARNING 'unrecognized character' at token '\' on
line
3214:
\
#line 2
/usr/bin/checkmodule: policy configuration loaded
/usr/bin/checkmodule: writing binary representation (version 10) to
tmp/myfail2ban.mod
Creating targeted myfail2ban.pp policy package
rm tmp/myfail2ban.mod.fc tmp/myfail2ban.mod
I'm not exactly sure what you had in mind otherwise I would edit it to
work...
But thanks again. I do appreciate your help!
Mark
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list