SELinux problems running Expect script from fail2ban

Question

I have an Expect script that works fine if I run it manually, but fails when run as an action from Fail2ban. The error message is as follows:

spawn /usr/bin/telnet 192.168.242.1
The system has no more ptys.  Ask your system administrator to create more.
    while executing
"spawn /usr/bin/telnet $hostname"

With the corresponding message in audit.log:

type=AVC msg=audit(1407894085.867:54862): avc:  denied  { read write } for  pid=14748 comm="ciscoacl.exp" name="ptmx" dev=devtmpfs ino=5288 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file

The script is running as root (confirmed by running whoami from the script) so I expected not to have any issues. What, if anything, can I do to fix this? (No, I don't want to disable SELinux!)

I don't think the script itself makes a difference here, but I can post it if needed.

http://serverfault.com/questions/598763/how-to-configure-selinux-to-allow-apache-to-run-git — user9517, Aug 13 '14 at 07:56

score 1 · Accepted Answer · answered Aug 13 '14 at 09:35

1

You will have to make a custom policy with audit2allow to allow fail2ban to read write to chr_file. Probably it will look like this:

require {
        type ptmx_t;
        type fail2ban_t;
        class chr_file { read write };
}

#============= fail2ban_t ==============
allow fail2ban_t ptmx_t:chr_file { read write };

Are you sure there are no more denies?

answered Aug 13 '14 at 09:35

Ezeyme

193
6

You're right; I checked and found a couple of other deny entries. Changed your rule to `{ read write ioctl open }` and am waiting for the next script kiddie to test against! Will accept if it works, or update info otherwise. – miken32 Aug 13 '14 at 17:21

SELinux problems running Expect script from fail2ban

1 Answers1