[CentOS] CentOS 7, Fail2ban and SELinux

Thu Feb 13 16:38:09 UTC 2020
Bez Thomas <jet242 at cornell.edu>

> On Feb 13, 2020, at 9:01 AM, Jonathan Billings <billings at negate.org> wrote:
> 
> On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote:
>> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive
>> mode for debugging. I've removed FirewallD and replaced it with a
>> custom-made Iptables script. I've also installed and configured Fail2ban
>> (fail2ban-server package) to protect the server from brute force attacks.
>> [...]
>> As far as I can tell - and please correct me if I'm wrong - if a package
>> doesn't play well with SELinux in the default configuration, this should be
>> considered as a bug. In that case, the appropriate reaction would be to file
>> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server
>> package.
> 
> In your case, you are not using fail2ban in any sort of default
> configuration.  Firewalld is the default firewall management in CentOS
> 7.  fail2ban was set up to use firewalld, and in fact, is much more
> efficient than using iptables since the fail2ban-firewalld package
> uses ipsets instead of individual iptables rules.
> 
>> SELinux is preventing /usr/bin/python2.7 from read access on the file disable.
> 
> You mention the file 'disable' but I'm not aware of a file called
> 'disable' in the fail2ban-server package.  What file is it trying to
> read from?  Perhaps you've put a file someplace that has a label that
> makes sense for fail2ban to not be able to read from?

This bug (CLOSED WONTFIX) appears to be relevant: 

https://bugzilla.redhat.com/show_bug.cgi?id=1777562

The 'disable' file is /sys/module/ipv6/parameters/disable.

Bez Thomas