On Thu, 13 Feb 2020 at 02:42, Nicolas Kovacs info@microlinux.fr wrote:
Hi,
I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive mode for debugging. I've removed FirewallD and replaced it with a custom-made Iptables script. I've also installed and configured Fail2ban (fail2ban-server package) to protect the server from brute force attacks.
Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's what I get.
$ sudo sealert -a /var/log/audit/audit.log 100% done found 5 alerts in /var/log/audit/audit.log
SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
***** Plugin catchall (100. confidence) suggests *****
If you believe that python2.7 should be allowed read access on the disable file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd # semodule -i my-f2bfsshd.pp ...
As far as I can tell - and please correct me if I'm wrong - if a package doesn't play well with SELinux in the default configuration, this should be considered as a bug. In that case, the appropriate reaction would be to file a bug on the EPEL mailing list, since EPEL provides the fail2ban-server package.
The appropriate action would be to file it as a bug in bugzilla.redhat.com. Posting it to the epel-devel mailing list would probably not get any fix as most packagers are not on it. (They are also not on the fedora-devel list either) Whether it gets fixed or not is going to be up to the packager. EPEL is a volunteer collection where we do not have much man-power to fix things unless the main Fedora packager is involved.
Other than that, the solution suggested by sealert seems to work.
$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-f2bfsshd.pp
$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-f2bfsshd.pp $ sudo semodule -i my-f2bfsshd.pp $ echo | sudo tee /var/log/audit/audit.log $ sudo systemctl restart fail2ban $ sudo sealert -a /var/log/audit/audit.log 100% done found 0 alerts in /var/log/audit/audit.log
Any suggestions ?
Niki
-- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12 _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos