On 6/26/22 07:54, Richard Shaw wrote:
On Sat, Jun 25, 2022 at 6:13 PM Samuel Sieb <samuel@xxxxxxxx
<mailto:samuel@xxxxxxxx>> wrote:
On 6/25/22 06:59, Richard Shaw wrote:
> Fail2ban works fine in F35 but now has an SELinux problem in
F36[1]...
>
> While not a SELinux expert I can often reason things out but the
> "unconfined" stuff confuses me.
>
> type=AVC msg=audit(1655618425.791:3076): avc: denied {
connectto } for
> pid=1286608 comm="fail2ban-client"
path="/run/fail2ban/fail2ban.sock"
> scontext=system_u:system_r:fail2ban_client_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tclass=unix_stream_socket permissive=0
What does "ls -lZ /run/fail2ban/fail2ban.sock" show?
Does "restorecon -v /run/fail2ban/fail2ban.sock" do anything?
This isn't my computer but the one from the BZ so can't say...
It looks like what I need to do is take the audit2allow output from here:
https://bugzilla.redhat.com/show_bug.cgi?id=2100549#c4
<https://bugzilla.redhat.com/show_bug.cgi?id=2100549#c4>
That is a different issue that should have already been fixed.
From the changelog:
* Wed May 18 2022 Orion Poplawski <orion@xxxxxxxx> - 0.11.2-12
- Fix SELinux policy to allow watch on var_log_t (bz#2083923)
However, I don't understand why they're trying to access
/var/run/log/journal. I do see that directory on my system, but it's
empty and unowned.
From what I see in the selinux rules, your original issue here
shouldn't be a problem either. Who is having that problem with the
socket, it's not you?
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
