On 17/04/20 10:55 pm, Leon Fauster via CentOS wrote: > Am 17.04.20 um 02:59 schrieb Rob Kampen: >> On 13/04/20 1:30 pm, Orion Poplawski wrote: >>> On 4/9/20 6:31 AM, Andreas Haumer wrote: >>> ... >>>> I'm neither a fail2ban nor a SELinux expert, but it seems the >>>> standard fail2ban SELinux policy as provided by CentOS 7 is not >>>> sufficient anymore and the recent updates did not correctly >>>> update the required SELinux policies. >>>> >>>> I could report this as bug, but where does such a bugreport belong to >>>> in the first place? >>>> >>>> - andreas >>>> >>> >>> >>> See https://bugzilla.redhat.com/show_bug.cgi?id=1777562 >>> We're a bit stalled at the moment I'm afradi >>> >> Finally had some time to look into this. Happy to say fail2ban now >> appears to be working. >> >> 1. I found that reading the CentOS web site about SElinux was helpful >> and this led me to issue the following: >> >> semanage permissive -a fail2ban_t >> >> this places just fail2ban requests (got the context from the scontext >> part of the SElinux error message) into permissive mode rather than >> the entire OS. >> >> 2. Then a look into the SElinux troubleshooter gave me the errors >> that were occurring and following the suggested instructions I >> created a my-f2bfsshd.pp & my-f2bfsshd.te >> >> 3. restarted fail2ban via systemctl restart fail2ban.service >> >> 4. monitored via fail2ban-client status <filter_name> and now get >> >> Status for the jail: sshd >> |- Filter >> | |- Currently failed: 0 >> | |- Total failed: 109 >> | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd >> `- Actions >> |- Currently banned: 3 >> |- Total banned: 6 >> `- Banned IP list: 27.78.14.83 116.105.216.179 139.99.71.227 >> >> 5. set fail2ban back into enforcing with >> >> semanage permissive -d fail2ban_t >> >> All solved for me. >> >> I have now done this on a second machine and it too seems to be >> functioning again. >> > > Great that there is a solution. > I am just curious; how does your my-f2bfsshd.te looks like? module my-f2bfsshd 1.0; require { type proc_net_t; type sysctl_net_t; type sysfs_t; type fail2ban_t; class dir search; class file { getattr open read }; } #============= fail2ban_t ============== allow fail2ban_t proc_net_t:file read; allow fail2ban_t sysctl_net_t:dir search; allow fail2ban_t sysctl_net_t:file { getattr open read }; allow fail2ban_t sysfs_t:file { getattr open read }; > > -- > Leon > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos