[CentOS] CentOS 7, Fail2ban and SELinux

Thu Feb 13 14:01:22 UTC 2020
Jonathan Billings <billings at negate.org>

On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive
> mode for debugging. I've removed FirewallD and replaced it with a
> custom-made Iptables script. I've also installed and configured Fail2ban
> (fail2ban-server package) to protect the server from brute force attacks.
> [...]
> As far as I can tell - and please correct me if I'm wrong - if a package
> doesn't play well with SELinux in the default configuration, this should be
> considered as a bug. In that case, the appropriate reaction would be to file
> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server
> package.

In your case, you are not using fail2ban in any sort of default
configuration.  Firewalld is the default firewall management in CentOS
7.  fail2ban was set up to use firewalld, and in fact, is much more
efficient than using iptables since the fail2ban-firewalld package
uses ipsets instead of individual iptables rules.

> SELinux is preventing /usr/bin/python2.7 from read access on the file disable.

You mention the file 'disable' but I'm not aware of a file called
'disable' in the fail2ban-server package.  What file is it trying to
read from?  Perhaps you've put a file someplace that has a label that
makes sense for fail2ban to not be able to read from?

Jonathan Billings <billings at negate.org>