Selinux and Fail2ban - Problem with IP routing action

Support for security such as Firewalls and securing linux
Post Reply
richard_chapman
Posts: 252
Joined: 2006/09/08 02:54:11

Selinux and Fail2ban - Problem with IP routing action

Post by richard_chapman » 2014/06/09 07:42:29

I have 2 centos 5 servers that were at one time identical. i.e. one was cloned from the other.
Both are running selinux in permissive mode.
A couple of months back I installed fail2ban on both to control attempts to hack the authenticated Postfix smtp server.
This kind of works - but I observed a couple of anomolies:
1) If I attempt to use the hosts.deny file to ban an IP address - sometimes it doesn't seem to work - and the hacking continues after fail2ban reports the IP is banned.
2) If I use the "route action that implements:
[Definition]
actionban = ip route add <blocktype> <ip>

I get the following selinux error every time it attempts a ban - BUT ONLY ON ONE SERVER.
-----------------------
Summary
SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t).
Detailed Description
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]

SELinux denied access requested by ip. It is not expected that this access is required by ip and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access
You can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.
Additional Information
Source Context: system_u:system_r:ifconfig_t
Target Context: system_u:system_r:initrc_t
Target Objects: socket [ unix_dgram_socket ]
Source: ip
Source Path: /sbin/ip
Port: <Unknown>
Host: C5.aardvark.com.au
Source RPM Packages: iproute-2.6.18-15.el5
Target RPM Packages:
Policy RPM: selinux-policy-2.4.6-346.el5
Selinux Enabled: True
Policy Type: targeted
MLS Enabled: True
Enforcing Mode: Permissive
Plugin Name: catchall
Host Name: C5.aardvark.com.au
Platform: Linux C5.aardvark.com.au 2.6.18-371.8.1.el5 #1 SMP Thu Apr 24 18:19:36 EDT 2014 x86_64 x86_64
Alert Count: 51
First Seen: Sat May 3 10:02:21 2014
Last Seen: Wed May 28 16:14:27 2014
Local ID: 84f1ad15-58f6-49d1-b253-41df20ab6b02
Line Numbers:
-------------------------------
This message isn't very helpful about how to "allow access" and this seems way out of my depth. Any thoughts on why only one server gives the selinux error - and how I can fix it?

Thanks.
Richard.

unspawn
Posts: 172
Joined: 2006/12/11 12:28:52

Re: Selinux and Fail2ban - Problem with IP routing action

Post by unspawn » 2014/08/25 17:53:18

//Bit old but since it is a 0-reply thread...
richard_chapman wrote:If I attempt to use the hosts.deny file to ban an IP address - sometimes it doesn't seem to work - and the hacking continues after fail2ban reports the IP is banned.
Please use iptables rules (or better: ipset which fail2ban supports) and not tcp_wrappers or null routes. (If you need an explanation let me know.)
richard_chapman wrote:If I use the "route action (..) I get the following selinux error every time it attempts a ban - BUT ONLY ON ONE SERVER.
(..) SELinux is preventing ip (ifconfig_t) "read write" to socket (initrc_t). (..) Any thoughts on why only one server gives the selinux error - and how I can fix it?
See above. As for diagnosing why anything with an initrc_t context may be caused by a service started by init. You could compare contexts with the other machine, restart the service manually (asserting it then gets the right context) or see what 'restorecon -vn' says.

Post Reply