[CentOS] CentOS 7 : SELinux trouble with Fail2ban

Fri Feb 28 20:07:52 UTC 2020
Orion Poplawski <orion at nwra.com>

On 2/26/20 9:52 AM, Nicolas Kovacs wrote:
> Le 26/02/2020 à 11:51, Nicolas Kovacs a écrit :
>> SELinux is preventing /usr/bin/python2.7 from read access on the file 
>> disable.
>> *****  Plugin catchall (100. confidence) suggests   *****
>> If you believe that python2.7 should be allowed read access on the 
>> disable file by default.
>> Then you should report this as a bug.
>> You can generate a local policy module to allow this access.
>> Do
>> allow this access for now by executing:
>> # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
>> # semodule -i my-f2bserver.pp
>> Weirdly enough, when I follow this suggestion and then empty audit.log 
>> and restart my server, I still get the exact same error again.
> I reinstalled this server from scratch and took some notes. This time I 
> was successful, though I don't know exactly what I did differently this 
> time.
> Usually I work as non-root user and call sudo whenever I need root 
> permissions.
> But is this OK when enabling SELinux modules? Let's consider the example 
> given above:
> # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver
> # semodule -i my-f2bserver.pp
> Can I also perform it like this?
> $ sudo ausearch -c 'f2b/server' --raw | sudo audit2allow -M my-f2bserver
> $ sudo semodule -i my-f2bserver.pp

This should work.  Likely the reason that it didn't resolve in one go is 
that there were multiple denials - but the first time it just failed on 
the first one.  Someone else mentioned running in non-enforcing mode to 
allow the audit log to collect all of the denials and then generating 
the module - this is a good practice.

Orion Poplawski
Manager of NWRA Technical Systems          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion at nwra.com
Boulder, CO 80301                 https://www.nwra.com/