[CentOS] fail2ban firewalld problems with current CentOS 7

Thu Apr 9 12:31:35 UTC 2020
Andreas Haumer <andreas at xss.co.at>


Am 09.04.20 um 10:07 schrieb Rob Kampen:
> I too had fail2ban fail after an otherwise successful yum update. Mine occurred in Feb when my versions of firewalld etc were updated to the versions you show. Thus far I have not had the opportunity to sort the problem. Lockdown has been quite busy so far, hopefully some slower times coming next week.

Yeah, those pesky real-life biological virus keeps all of us busy just like the virtual ones... ;-)

(Just yesterday I found the following article mentioned on Slashdot:

Made me smile... :-)

Anyway, I digged into the fail2ban problem today and it looks like something
changed regarding selinux and fail2ban.

After several iterations with fail2ban restart, ausearch and audit2allow like this:

ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon

I came up with a SELinux module like that:

module f2b-addon 1.0;

require {
        type sysctl_net_t;
        type sysfs_t;
        type fail2ban_t;
        class file { getattr open read };
        class dir search;

#============= fail2ban_t ==============

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysctl_net_t:dir search;

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysctl_net_t:file { getattr open read };

#!!!! This avc is allowed in the current policy
allow fail2ban_t sysfs_t:file { getattr open read };

When I load this new module I can restart fail2ban and
it finally is able to create a working ipset:

[root at camus ~]# ipset list
Name: f2b-apache
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 10800
Size in memory: 408
References: 1
Number of entries: 3
Members: timeout 10149 timeout 10149 timeout 10149

I'm neither a fail2ban nor a SELinux expert, but it seems the
standard fail2ban SELinux policy as provided by CentOS 7 is not
sufficient anymore and the recent updates did not correctly
update the required SELinux policies.

I could report this as bug, but where does such a bugreport belong to
in the first place?

- andreas

Andreas Haumer                     | mailto:andreas at xss.co.at
*x Software + Systeme              | http://www.xss.co.at/
Karmarschgasse 51/2/20             | Tel: +43-1-6060114-0
A-1100 Vienna, Austria             | Fax: +43-1-6060114-71

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20200409/33d7abf9/attachment-0005.sig>