> On Feb 13, 2020, at 9:01 AM, Jonathan Billings <billings@xxxxxxxxxx> wrote:
>
> On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
>> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive
>> mode for debugging. I've removed FirewallD and replaced it with a
>> custom-made Iptables script. I've also installed and configured Fail2ban
>> (fail2ban-server package) to protect the server from brute force attacks.
>> [...]
>> As far as I can tell - and please correct me if I'm wrong - if a package
>> doesn't play well with SELinux in the default configuration, this should be
>> considered as a bug. In that case, the appropriate reaction would be to file
>> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server
>> package.
>
> In your case, you are not using fail2ban in any sort of default
> configuration. Firewalld is the default firewall management in CentOS
> 7. fail2ban was set up to use firewalld, and in fact, is much more
> efficient than using iptables since the fail2ban-firewalld package
> uses ipsets instead of individual iptables rules.
>
>> SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
>
> You mention the file 'disable' but I'm not aware of a file called
> 'disable' in the fail2ban-server package. What file is it trying to
> read from? Perhaps you've put a file someplace that has a label that
> makes sense for fail2ban to not be able to read from?
This bug (CLOSED WONTFIX) appears to be relevant:
https://bugzilla.redhat.com/show_bug.cgi?id=1777562
The 'disable' file is /sys/module/ipv6/parameters/disable.
Bez Thomas
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
