SELinux preventing Fail2Ban from emailing notification via msmtp

Question

I have msmtp as a null client connecting to my AWS SES account for SMTP, delivering alerts such as cron, monit and soon hopefully Fail2Ban to my email addresses. However, Fail2Ban isn't playing ball, or to be more precise, selinux is preventing things from happening.

action_mwl works just fine in Permissive mode. I get ban e-mails. In Enforcing mode, Fail2Ban logs an error and no mail gets sent. An attempt is made for it to be sent, according to msmtp log, but it's not going.

Here is such a (part of a) Fail2Ban log entry:

2015-09-29 12:25:12,543 fail2ban.actions        [31113]: ERROR   Failed to execute ban jail 'wordpress' action 'sendmail-whois-lines' info 'CallingMap({'ipjailmatches': <function <lambda> at 0x2c5ac08>, 'matches': u'

msmtp reports:

Sep 29 12:25:12 host=email-smtp.eu-west-1.amazonaws.com tls=on auth=on user=12345 from=me@myserver.com recipients=my.name@gmail.com errormsg='cannot connect to email-smtp.eu-west-1.amazonaws.com, port 587: Permission denied' exitcode=EX_TEMPFAIL

It's not an msmtp config issue nor an email body content issue as I can send that exact Fail2Ban message from the command line piping to msmtp (directly, or via sendmail symlink) just fine and it sends beautifully. Credentials etc. hence are fine. Also works via cron. Which means it's not a firewall issue either.

$ sudo ls -lZ /usr/bin/msmtp
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       /usr/bin/msmtp

$ sudo ls -lZ /usr/bin/sendmail
lrwxrwxrwx. root root unconfined_u:object_r:bin_t:s0   /usr/bin/sendmail -> /usr/bin/msmtp

In jail.conf:

mta = sendmail

sealert doesn't give me any hints I can recognise or action.

I have confirmed fail2ban runs as root:

$ ps aux | grep fail2ban

I added some additional logging and now get this in /var/log/messages

Sep 29 16:11:15 ip-172-31-6-51 setroubleshoot: SELinux is preventing /usr/bin/msmtp from name_connect access on the tcp_socket port 587. For complete SELinux messages. run sealert -l 78f05dbd-a953-4196-9f14-afaabb5a4d88
Sep 29 16:11:15 ip-172-31-6-51 python: SELinux is preventing /usr/bin/msmtp from name_connect access on the tcp_socket port 587.

Where to look next? How can I tell SELinux Fail2Ban is allowed to play nicely with msmtp?

Answer 1

After adding more verbose logging, I got sufficient hints from the system (and @Michael Hampton) to figure this out.

yum install setroubleshoot setools

This yields a lot more info in /var/log/messages and offers tools like:

sealert -a /var/log/audit/audit.log

Also:

ausearch -m avc

These will give you instructions like:

Sep 29 16:11:15 ip-172-31-6-51 setroubleshoot: SELinux is preventing /usr/bin/msmtp from name_connect access on the tcp_socket port 587. For complete SELinux messages. run sealert -l 78f05dbd-a953-4196-9f14-afaabb5a4d88

Running the suggested command:

sealert -l 78f05dbd-a953-4196-9f14-afaabb5a4d88

Gives me:

If you believe that msmtp should be allowed name_connect access on the port 587 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep msmtp /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

So I did:

$ grep msmtp /var/log/audit/audit.log | audit2allow -M fail2ban_msmtp

I had a look to see what it created:

$ vim fail2ban_msmtp.te

And then installed the policy, making it persistent upon reboot:

$ semodule -i fail2ban_msmtp.pp

I then banned a random IP to trigger a banaction with email to confirm it now finally shoots me the desired email via msmtp:

$ fail2ban-client set sshd banip 162.229.158.134

Presto! So easy, this SELinux stuff.

PS Another way seems to be (not tested):

$ setsebool -P nis_enabled 1