Hi,
I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive mode for debugging. I've removed FirewallD and replaced it with a custom-made Iptables script. I've also installed and configured Fail2ban (fail2ban-server package) to protect the server from brute force attacks.
Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's what I get.
$ sudo sealert -a /var/log/audit/audit.log 100% done found 5 alerts in /var/log/audit/audit.log ------------------------------------------------------------ SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
***** Plugin catchall (100. confidence) suggests *****
If you believe that python2.7 should be allowed read access on the disable file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd # semodule -i my-f2bfsshd.pp ...
As far as I can tell - and please correct me if I'm wrong - if a package doesn't play well with SELinux in the default configuration, this should be considered as a bug. In that case, the appropriate reaction would be to file a bug on the EPEL mailing list, since EPEL provides the fail2ban-server package.
Other than that, the solution suggested by sealert seems to work.
$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-f2bfsshd.pp
$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i my-f2bfsshd.pp $ sudo semodule -i my-f2bfsshd.pp $ echo | sudo tee /var/log/audit/audit.log $ sudo systemctl restart fail2ban $ sudo sealert -a /var/log/audit/audit.log 100% done found 0 alerts in /var/log/audit/audit.log
Any suggestions ?
Niki