Home / server / Questions / 620016
Accepted
miken32
Asked: 2014-08-13 18:48:15 +0800 CST

SELinux problems running Expect script from fail2ban

  • 772

I have an Expect script that works fine if I run it manually, but fails when run as an action from Fail2ban. The error message is as follows:

spawn /usr/bin/telnet 192.168.242.1
The system has no more ptys.  Ask your system administrator to create more.
    while executing
"spawn /usr/bin/telnet $hostname"

With the corresponding message in audit.log:

type=AVC msg=audit(1407894085.867:54862): avc:  denied  { read write } for  pid=14748 comm="ciscoacl.exp" name="ptmx" dev=devtmpfs ino=5288 scontext=unconfined_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:ptmx_t:s0 tclass=chr_file

The script is running as root (confirmed by running whoami from the script) so I expected not to have any issues. What, if anything, can I do to fix this? (No, I don't want to disable SELinux!)

I don't think the script itself makes a difference here, but I can post it if needed.

selinux

1 Answers

  1. Best Answer

    You will have to make a custom policy with audit2allow to allow fail2ban to read write to chr_file. Probably it will look like this:

    require {
        type ptmx_t;
        type fail2ban_t;
        class chr_file { read write };
}

#============= fail2ban_t ==============
allow fail2ban_t ptmx_t:chr_file { read write };

    Are you sure there are no more denies?

    • 1