Hi!
Am 09.04.20 um 10:07 schrieb Rob Kampen: [...]
I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week.
Yeah, those pesky real-life biological virus keeps all of us busy just like the virtual ones... ;-)
(Just yesterday I found the following article mentioned on Slashdot: https://www.bloomberg.com/news/articles/2020-04-08/are-you-finally-thankful-...
Made me smile... :-)
Anyway, I digged into the fail2ban problem today and it looks like something changed regarding selinux and fail2ban.
After several iterations with fail2ban restart, ausearch and audit2allow like this:
ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon
I came up with a SELinux module like that:
module f2b-addon 1.0;
require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; }
#============= fail2ban_t ==============
#!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search;
#!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:file { getattr open read };
#!!!! This avc is allowed in the current policy allow fail2ban_t sysfs_t:file { getattr open read };
When I load this new module I can restart fail2ban and it finally is able to create a working ipset:
[root@camus ~]# ipset list Name: f2b-apache Type: hash:ip Revision: 4 Header: family inet hashsize 1024 maxelem 65536 timeout 10800 Size in memory: 408 References: 1 Number of entries: 3 Members: 223.167.32.161 timeout 10149 93.174.93.143 timeout 10149 5.164.24.192 timeout 10149
I'm neither a fail2ban nor a SELinux expert, but it seems the standard fail2ban SELinux policy as provided by CentOS 7 is not sufficient anymore and the recent updates did not correctly update the required SELinux policies.
I could report this as bug, but where does such a bugreport belong to in the first place?
- andreas