On Feb 13, 2020, at 9:01 AM, Jonathan Billings billings@negate.org wrote:
On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive mode for debugging. I've removed FirewallD and replaced it with a custom-made Iptables script. I've also installed and configured Fail2ban (fail2ban-server package) to protect the server from brute force attacks. [...] As far as I can tell - and please correct me if I'm wrong - if a package doesn't play well with SELinux in the default configuration, this should be considered as a bug. In that case, the appropriate reaction would be to file a bug on the EPEL mailing list, since EPEL provides the fail2ban-server package.
In your case, you are not using fail2ban in any sort of default configuration. Firewalld is the default firewall management in CentOS 7. fail2ban was set up to use firewalld, and in fact, is much more efficient than using iptables since the fail2ban-firewalld package uses ipsets instead of individual iptables rules.
SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
You mention the file 'disable' but I'm not aware of a file called 'disable' in the fail2ban-server package. What file is it trying to read from? Perhaps you've put a file someplace that has a label that makes sense for fail2ban to not be able to read from?
This bug (CLOSED WONTFIX) appears to be relevant:
https://bugzilla.redhat.com/show_bug.cgi?id=1777562
The 'disable' file is /sys/module/ipv6/parameters/disable.
Bez Thomas