Re: fail2ban firewalld problems with current CentOS 7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Hi!

Am 09.04.20 um 10:07 schrieb Rob Kampen:
[...]
> I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week.

Yeah, those pesky real-life biological virus keeps all of us busy just like the virtual ones... ;-)

(Just yesterday I found the following article mentioned on Slashdot:
https://www.bloomberg.com/news/articles/2020-04-08/are-you-finally-thankful-for-your-it-person-now

Made me smile... :-)

Anyway, I digged into the fail2ban problem today and it looks like something
changed regarding selinux and fail2ban.

After several iterations with fail2ban restart, ausearch and audit2allow like this:

ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon

I came up with a SELinux module like that:

module f2b-addon 1.0;

require {
        type sysctl_net_t;
        type sysfs_t;
        type fail2ban_t;
        class file { getattr open read };
        class dir search;
}

#============= fail2ban_t ==============

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysctl_net_t:dir search;

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysctl_net_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysfs_t:file { getattr open read };


When I load this new module I can restart fail2ban and
it finally is able to create a working ipset:

[root@camus ~]# ipset list
Name: f2b-apache
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 10800
Size in memory: 408
References: 1
Number of entries: 3
Members:
223.167.32.161 timeout 10149
93.174.93.143 timeout 10149
5.164.24.192 timeout 10149


I'm neither a fail2ban nor a SELinux expert, but it seems the
standard fail2ban SELinux policy as provided by CentOS 7 is not
sufficient anymore and the recent updates did not correctly
update the required SELinux policies.

I could report this as bug, but where does such a bugreport belong to
in the first place?

- andreas

-- 
Andreas Haumer                     | mailto:andreas@xxxxxxxxx
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]


  Powered by Linux