[CentOS] [SOLVED] fail2ban firewalld problems with current CentOS 7

Fri Apr 17 00:59:56 UTC 2020
Rob Kampen <rkampen at kampensonline.com>

On 13/04/20 1:30 pm, Orion Poplawski wrote:
> On 4/9/20 6:31 AM, Andreas Haumer wrote:
> ...
>> I'm neither a fail2ban nor a SELinux expert, but it seems the
>> standard fail2ban SELinux policy as provided by CentOS 7 is not
>> sufficient anymore and the recent updates did not correctly
>> update the required SELinux policies.
>> I could report this as bug, but where does such a bugreport belong to
>> in the first place?
>> - andreas
> See https://bugzilla.redhat.com/show_bug.cgi?id=1777562
> We're a bit stalled at the moment I'm afradi
Finally had some time to look into this. Happy to say fail2ban now 
appears to be working.

1. I found that reading the CentOS web site about SElinux was helpful 
and this led me to issue the following:

semanage permissive -a fail2ban_t

this places just fail2ban requests (got the context from the scontext 
part of the SElinux error message) into permissive mode rather than the 
entire OS.

2. Then a look into the SElinux troubleshooter gave me the errors that 
were occurring and following the suggested instructions I created a 
my-f2bfsshd.pp & my-f2bfsshd.te

3. restarted fail2ban via systemctl restart fail2ban.service

4. monitored via fail2ban-client status <filter_name> and now get

Status for the jail: sshd
|- Filter
|  |- Currently failed:    0
|  |- Total failed:    109
|  `- Journal matches:    _SYSTEMD_UNIT=sshd.service + _COMM=sshd
`- Actions
    |- Currently banned:    3
    |- Total banned:    6
    `- Banned IP list:

5. set fail2ban back into enforcing with

semanage permissive -d fail2ban_t

All solved for me.

I have now done this on a second machine and it too seems to be 
functioning again.