Hi! Am 09.04.20 um 10:07 schrieb Rob Kampen: [...] > I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week. Yeah, those pesky real-life biological virus keeps all of us busy just like the virtual ones... ;-) (Just yesterday I found the following article mentioned on Slashdot: https://www.bloomberg.com/news/articles/2020-04-08/are-you-finally-thankful-for-your-it-person-now Made me smile... :-) Anyway, I digged into the fail2ban problem today and it looks like something changed regarding selinux and fail2ban. After several iterations with fail2ban restart, ausearch and audit2allow like this: ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon I came up with a SELinux module like that: module f2b-addon 1.0; require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search; #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:file { getattr open read }; #!!!! This avc is allowed in the current policy allow fail2ban_t sysfs_t:file { getattr open read }; When I load this new module I can restart fail2ban and it finally is able to create a working ipset: [root@camus ~]# ipset list Name: f2b-apache Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 10800 Size in memory: 408 References: 1 Number of entries: 3 Members: 223.167.32.161 timeout 10149 93.174.93.143 timeout 10149 5.164.24.192 timeout 10149 I'm neither a fail2ban nor a SELinux expert, but it seems the standard fail2ban SELinux policy as provided by CentOS 7 is not sufficient anymore and the recent updates did not correctly update the required SELinux policies. I could report this as bug, but where does such a bugreport belong to in the first place? - andreas -- Andreas Haumer | mailto:andreas@xxxxxxxxx *x Software + Systeme | http://www.xss.co.at/ Karmarschgasse 51/2/20 | Tel: +43-1-6060114-0 A-1100 Vienna, Austria | Fax: +43-1-6060114-71
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos
