Discussion:
networking - fail2ban will not start on some installs (x64)
Cristian Sava
2013-07-09 06:48:15 UTC
Permalink
On installs where iface reported by "route" command is not the same with
ifcfg-iface (pxpy instead of enpxsy or ethx) fail2ban will not start.
Does not matter if biosdevname=0 or net.ifnames=0 on the kernel line.
Tested this on real hardware and on VirualBox too.
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing

Fail2ban is ok on any other install.

C. Sava
Cristian Sava
2013-07-09 06:51:27 UTC
Permalink
Post by Cristian Sava
On installs where iface reported by "route" command is not the same with
ifcfg-iface (pxpy instead of enpxsy or ethx) fail2ban will not start.
Does not matter if biosdevname=0 or net.ifnames=0 on the kernel line.
Tested this on real hardware and on VirualBox too.
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
Fail2ban is ok on any other install.
I forgot to add that is about F19 installs.

C.Sava
sguazt
2013-07-09 07:48:56 UTC
Permalink
Post by Cristian Sava
Post by Cristian Sava
On installs where iface reported by "route" command is not the same with
ifcfg-iface (pxpy instead of enpxsy or ethx) fail2ban will not start.
Does not matter if biosdevname=0 or net.ifnames=0 on the kernel line.
Tested this on real hardware and on VirualBox too.
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not
accessible for writing
Post by Cristian Sava
Fail2ban is ok on any other install.
I forgot to add that is about F19 installs.
C.Sava
Hello,

Similar problem here on a F19 x86_64.

$ systemctl status fail2ban

fail2ban.service - Fail2ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: failed (Result: start-limit) since Tue 2013-07-09 08:59:40 CEST;
45min ago
Process: 1024 ExecStart=/usr/bin/fail2ban-client -x start (code=exited,
status=255)

Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service: control process
exited, code=exited status=255
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed
state.
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service holdoff time over,
scheduling restart.
Jul 09 08:59:40 wildcat systemd[1]: Stopping Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: Starting Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service start request repeated
too quickly, refusing to start.
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed
state.

$ less /var/log/messages
Jul 9 08:59:39 localhost fail2ban-client[1024]: ERROR Directory
/var/run/fail2ban exists but not accessible for writing
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service: control process
exited, code=exited status=255
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered failed
state.
...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service holdoff time over,
scheduling restart.
Jul 9 08:59:40 localhost systemd[1]: Stopping Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: Starting Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service start request
repeated too quickly, refusing to start.
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered failed
state.


-- Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130709/b87a55dd/attachment.html>
Ed Greshko
2013-07-09 08:56:23 UTC
Permalink
Post by Cristian Sava
Post by Cristian Sava
On installs where iface reported by "route" command is not the same with
ifcfg-iface (pxpy instead of enpxsy or ethx) fail2ban will not start.
Does not matter if biosdevname=0 or net.ifnames=0 on the kernel line.
Tested this on real hardware and on VirualBox too.
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
Fail2ban is ok on any other install.
I forgot to add that is about F19 installs.
C.Sava
Hello,
Similar problem here on a F19 x86_64.
$ systemctl status fail2ban
fail2ban.service - Fail2ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: failed (Result: start-limit) since Tue 2013-07-09 08:59:40 CEST; 45min ago
Process: 1024 ExecStart=/usr/bin/fail2ban-client -x start (code=exited, status=255)
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed state.
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service holdoff time over, scheduling restart.
Jul 09 08:59:40 wildcat systemd[1]: Stopping Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: Starting Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service start request repeated too quickly, refusing to start.
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed state.
$ less /var/log/messages
Jul 9 08:59:39 localhost fail2ban-client[1024]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service: control process exited, code=exited status=255
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered failed state.
...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service holdoff time over, scheduling restart.
Jul 9 08:59:40 localhost systemd[1]: Stopping Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: Starting Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service start request repeated too quickly, refusing to start.
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered failed state.
Have you checked /var/log/audit/audit.log for AVC (selinux) entries?
--
The only thing worse than a poorly asked question is a cryptic answer.
sguazt
2013-07-09 09:21:39 UTC
Permalink
Post by Cristian Sava
Post by Cristian Sava
Post by Cristian Sava
On installs where iface reported by "route" command is not the
same with
Post by Cristian Sava
Post by Cristian Sava
ifcfg-iface (pxpy instead of enpxsy or ethx) fail2ban will not
start.
Post by Cristian Sava
Post by Cristian Sava
Does not matter if biosdevname=0 or net.ifnames=0 on the kernel
line.
Post by Cristian Sava
Post by Cristian Sava
Tested this on real hardware and on VirualBox too.
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists
but not accessible for writing
Post by Cristian Sava
Post by Cristian Sava
Fail2ban is ok on any other install.
I forgot to add that is about F19 installs.
C.Sava
Hello,
Similar problem here on a F19 x86_64.
$ systemctl status fail2ban
fail2ban.service - Fail2ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; enabled)
Active: failed (Result: start-limit) since Tue 2013-07-09 08:59:40
CEST; 45min ago
Post by Cristian Sava
Process: 1024 ExecStart=/usr/bin/fail2ban-client -x start
(code=exited, status=255)
Post by Cristian Sava
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service: control process
exited, code=exited status=255
Post by Cristian Sava
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed
state.
Post by Cristian Sava
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service holdoff time over,
scheduling restart.
Post by Cristian Sava
Jul 09 08:59:40 wildcat systemd[1]: Stopping Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: Starting Fail2ban Service...
Jul 09 08:59:40 wildcat systemd[1]: fail2ban.service start request
repeated too quickly, refusing to start.
Post by Cristian Sava
Jul 09 08:59:40 wildcat systemd[1]: Failed to start Fail2ban Service.
Jul 09 08:59:40 wildcat systemd[1]: Unit fail2ban.service entered failed
state.
Post by Cristian Sava
$ less /var/log/messages
Jul 9 08:59:39 localhost fail2ban-client[1024]: ERROR Directory
/var/run/fail2ban exists but not accessible for writing
Post by Cristian Sava
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service: control process
exited, code=exited status=255
Post by Cristian Sava
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered
failed state.
Post by Cristian Sava
...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service holdoff time
over, scheduling restart.
Post by Cristian Sava
Jul 9 08:59:40 localhost systemd[1]: Stopping Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: Starting Fail2ban Service...
Jul 9 08:59:40 localhost systemd[1]: fail2ban.service start request
repeated too quickly, refusing to start.
Post by Cristian Sava
Jul 9 08:59:40 localhost systemd[1]: Failed to start Fail2ban Service.
Jul 9 08:59:40 localhost systemd[1]: Unit fail2ban.service entered
failed state.
Have you checked /var/log/audit/audit.log for AVC (selinux) entries?
Yes.

No AVC entry.
The only entries I found are:
type=SERVICE_START msg=audit(1373353179.495:389): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=failed'
type=SERVICE_START msg=audit(1373353179.595:390): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_STOP msg=audit(1373353179.595:391): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_START msg=audit(1373353180.002:393): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=failed'
type=SERVICE_START msg=audit(1373353180.102:406): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'
type=SERVICE_STOP msg=audit(1373353180.102:407): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='
comm="fail2ban" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
res=success'

-- Marco
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130709/ee13d007/attachment.html>
Cristian Sava
2013-07-09 10:19:06 UTC
Permalink
Post by Ed Greshko
Have you checked /var/log/audit/audit.log for AVC (selinux) entries?
No AVC messages, not selinux related bug. It is a networking subsystem
problem.

C. Sava
Ed Greshko
2013-07-09 10:52:04 UTC
Permalink
Post by Cristian Sava
Post by Ed Greshko
Have you checked /var/log/audit/audit.log for AVC (selinux) entries?
No AVC messages, not selinux related bug. It is a networking subsystem
problem.
Well, I find one thing interesting.....

Notice the error message....

fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing

But, if you execute the command in the service file from the command line....

[root at f18x log]# /usr/bin/fail2ban-client -x start
2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode

and....

[root at f18x fail2ban]# pwd
/var/run/fail2ban
[root at f18x fail2ban]# ls
fail2ban.pid fail2ban.sock

And if you put selinux in permissive mode....

[root at f18x fail2ban]# pwd
/var/run/fail2ban
[root at f18x fail2ban]# ls
[root at f18x fail2ban]# setenforce 0
[root at f18x fail2ban]# systemctl start fail2ban
[root at f18x fail2ban]# ls
fail2ban.pid fail2ban.sock

So it is running with selinux placed in permissive mode.....
--
The only thing worse than a poorly asked question is a cryptic answer.
Cristian Sava
2013-07-09 12:16:02 UTC
Permalink
Post by Ed Greshko
Well, I find one thing interesting.....
Notice the error message....
fail2ban-client[2804]: ERROR Directory /var/run/fail2ban exists but not accessible for writing
But, if you execute the command in the service file from the command line....
[root at f18x log]# /usr/bin/fail2ban-client -x start
2013-07-09 18:46:10,558 fail2ban.server : INFO Starting Fail2ban v0.8.10
2013-07-09 18:46:10,559 fail2ban.server : INFO Starting in daemon mode
and....
[root at f18x fail2ban]# pwd
/var/run/fail2ban
[root at f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
And if you put selinux in permissive mode....
[root at f18x fail2ban]# pwd
/var/run/fail2ban
[root at f18x fail2ban]# ls
[root at f18x fail2ban]# setenforce 0
[root at f18x fail2ban]# systemctl start fail2ban
[root at f18x fail2ban]# ls
fail2ban.pid fail2ban.sock
So it is running with selinux placed in permissive mode.....
Yes, you're right. Thank you for the fix.
Why selinux is not complaining with an AVC?

C. Sava
Ed Greshko
2013-07-09 12:24:46 UTC
Permalink
Post by Cristian Sava
Yes, you're right. Thank you for the fix.
Why selinux is not complaining with an AVC?
I do not know the answer to that. I'll see if I can figure it out, and if not file a bugzilla.

Welcome.

Ed
--
The only thing worse than a poorly asked question is a cryptic answer.
Daniel J Walsh
2013-07-09 13:51:27 UTC
Permalink
Post by Ed Greshko
Yes, you're right. Thank you for the fix. Why selinux is not complaining
with an AVC?
I do not know the answer to that. I'll see if I can figure it out, and if
not file a bugzilla.
Welcome.
Ed
Probably a dontaudit message.

Does

restorecon -R -v /var/run/fail2ban

Change the label?
Ed Greshko
2013-07-09 14:00:31 UTC
Permalink
Post by Daniel J Walsh
Post by Ed Greshko
Yes, you're right. Thank you for the fix. Why selinux is not complaining
with an AVC?
I do not know the answer to that. I'll see if I can figure it out, and if
not file a bugzilla.
Welcome.
Ed
Probably a dontaudit message.
Does
restorecon -R -v /var/run/fail2ban
Change the label?
No.

I just did a semodule -DB to get the AVC's (reminded by folks on the selinux list) and created/install the resulting module and it seems to have fixed it.

Heading over to bugzilla now.
--
The only thing worse than a poorly asked question is a cryptic answer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130709/e204a1a1/attachment.sig>
Ed Greshko
2013-07-09 14:07:19 UTC
Permalink
Post by Ed Greshko
Heading over to bugzilla now.
This appears to be https://bugzilla.redhat.com/show_bug.cgi?id=975695 ....

The same error message noted in this thread are in the bugzilla.

I think there is no need create a new one.
--
The only thing worse than a poorly asked question is a cryptic answer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20130709/dee30dbb/attachment.sig>
Ed Greshko
2013-07-09 23:47:22 UTC
Permalink
Post by Cristian Sava
Yes, you're right. Thank you for the fix.
Why selinux is not complaining with an AVC?
Problem is now fixed in selinux-policy-3.12.1-62.fc19.

http://koji.fedoraproject.org/koji/buildinfo?buildID=432416

To get the early download.
--
The only thing worse than a poorly asked question is a cryptic answer.
Loading...