CentOS 7, Fail2ban and SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi,
I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive mode for debugging. I've removed FirewallD and replaced it with a custom-made Iptables script. I've also installed and configured Fail2ban (fail2ban-server package) to protect the server from brute force attacks. 

Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's what I get.

$ sudo sealert -a /var/log/audit/audit.log
100% done
found 5 alerts in /var/log/audit/audit.log
------------------------------------------------------------
SELinux is preventing /usr/bin/python2.7 from read access on the file disable.

*****  Plugin catchall (100. confidence) suggests   *****
If you believe that python2.7 should be allowed read access on the disable file by default. 
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
# semodule -i my-f2bfsshd.pp
...
As far as I can tell - and please correct me if I'm wrong - if a package doesn't play well with SELinux in the default configuration, this should be considered as a bug. In that case, the appropriate reaction would be to file a bug on the EPEL mailing list, since EPEL provides the fail2ban-server package. 

Other than that, the solution suggested by sealert seems to work.

$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-f2bfsshd.pp

$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-f2bfsshd.pp
$ sudo semodule -i my-f2bfsshd.pp
$ echo | sudo tee /var/log/audit/audit.log
$ sudo systemctl restart fail2ban
$ sudo sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

Any suggestions ?

Niki

--
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info@xxxxxxxxxxxxx
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux