[CentOS] CentOS 7, Fail2ban and SELinux

Thu Feb 13 07:42:29 UTC 2020
Nicolas Kovacs <info at microlinux.fr>

Hi,

I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive 
mode for debugging. I've removed FirewallD and replaced it with a custom-made 
Iptables script. I've also installed and configured Fail2ban (fail2ban-server 
package) to protect the server from brute force attacks.

Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's what I get.

$ sudo sealert -a /var/log/audit/audit.log
100% done
found 5 alerts in /var/log/audit/audit.log
------------------------------------------------------------
SELinux is preventing /usr/bin/python2.7 from read access on the file disable.

*****  Plugin catchall (100. confidence) suggests   *****

If you believe that python2.7 should be allowed read access on the disable file 
by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
# semodule -i my-f2bfsshd.pp
...

As far as I can tell - and please correct me if I'm wrong - if a package 
doesn't play well with SELinux in the default configuration, this should be 
considered as a bug. In that case, the appropriate reaction would be to file a 
bug on the EPEL mailing list, since EPEL provides the fail2ban-server package.

Other than that, the solution suggested by sealert seems to work.

$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-f2bfsshd.pp

$ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i my-f2bfsshd.pp
$ sudo semodule -i my-f2bfsshd.pp
$ echo | sudo tee /var/log/audit/audit.log
$ sudo systemctl restart fail2ban
$ sudo sealert -a /var/log/audit/audit.log
100% done
found 0 alerts in /var/log/audit/audit.log

Any suggestions ?

Niki

-- 
Microlinux - Solutions informatiques durables
7, place de l'église - 30730 Montpezat
Site : https://www.microlinux.fr
Mail : info at microlinux.fr
Tél. : 04 66 63 10 32
Mob. : 06 51 80 12 12