Am 17.04.20 um 02:59 schrieb Rob Kampen: > On 13/04/20 1:30 pm, Orion Poplawski wrote: >> On 4/9/20 6:31 AM, Andreas Haumer wrote: >> ... >>> I'm neither a fail2ban nor a SELinux expert, but it seems the >>> standard fail2ban SELinux policy as provided by CentOS 7 is not >>> sufficient anymore and the recent updates did not correctly >>> update the required SELinux policies. >>> >>> I could report this as bug, but where does such a bugreport belong to >>> in the first place? >>> >>> - andreas >>> >> >> >> See https://bugzilla.redhat.com/show_bug.cgi?id=1777562 >> We're a bit stalled at the moment I'm afradi >> > Finally had some time to look into this. Happy to say fail2ban now > appears to be working. > > 1. I found that reading the CentOS web site about SElinux was helpful > and this led me to issue the following: > > semanage permissive -a fail2ban_t > > this places just fail2ban requests (got the context from the scontext > part of the SElinux error message) into permissive mode rather than the > entire OS. > > 2. Then a look into the SElinux troubleshooter gave me the errors that > were occurring and following the suggested instructions I created a > my-f2bfsshd.pp & my-f2bfsshd.te > > 3. restarted fail2ban via systemctl restart fail2ban.service > > 4. monitored via fail2ban-client status <filter_name> and now get > > Status for the jail: sshd > |- Filter > | |- Currently failed: 0 > | |- Total failed: 109 > | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd > `- Actions > |- Currently banned: 3 > |- Total banned: 6 > `- Banned IP list: 27.78.14.83 116.105.216.179 139.99.71.227 > > 5. set fail2ban back into enforcing with > > semanage permissive -d fail2ban_t > > All solved for me. > > I have now done this on a second machine and it too seems to be > functioning again. > Great that there is a solution. I am just curious; how does your my-f2bfsshd.te looks like? -- Leon