On 17/04/20 10:55 pm, Leon Fauster via CentOS wrote:
Am 17.04.20 um 02:59 schrieb Rob Kampen:
On 13/04/20 1:30 pm, Orion Poplawski wrote:
On 4/9/20 6:31 AM, Andreas Haumer wrote:
...
I'm neither a fail2ban nor a SELinux expert, but it seems the
standard fail2ban SELinux policy as provided by CentOS 7 is not
sufficient anymore and the recent updates did not correctly
update the required SELinux policies.
I could report this as bug, but where does such a bugreport belong to
in the first place?
- andreas
See https://bugzilla.redhat.com/show_bug.cgi?id=1777562
We're a bit stalled at the moment I'm afradi
Finally had some time to look into this. Happy to say fail2ban now
appears to be working.
1. I found that reading the CentOS web site about SElinux was helpful
and this led me to issue the following:
semanage permissive -a fail2ban_t
this places just fail2ban requests (got the context from the scontext
part of the SElinux error message) into permissive mode rather than
the entire OS.
2. Then a look into the SElinux troubleshooter gave me the errors
that were occurring and following the suggested instructions I
created a my-f2bfsshd.pp & my-f2bfsshd.te
3. restarted fail2ban via systemctl restart fail2ban.service
4. monitored via fail2ban-client status <filter_name> and now get
Status for the jail: sshd
|- Filter
| |- Currently failed: 0
| |- Total failed: 109
| `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
|- Currently banned: 3
|- Total banned: 6
`- Banned IP list: 27.78.14.83 116.105.216.179 139.99.71.227
5. set fail2ban back into enforcing with
semanage permissive -d fail2ban_t
All solved for me.
I have now done this on a second machine and it too seems to be
functioning again.
Great that there is a solution.
I am just curious; how does your my-f2bfsshd.te looks like?
module my-f2bfsshd 1.0;
require {
type proc_net_t;
type sysctl_net_t;
type sysfs_t;
type fail2ban_t;
class dir search;
class file { getattr open read };
}
#============= fail2ban_t ==============
allow fail2ban_t proc_net_t:file read;
allow fail2ban_t sysctl_net_t:dir search;
allow fail2ban_t sysctl_net_t:file { getattr open read };
allow fail2ban_t sysfs_t:file { getattr open read };
--
Leon
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
