[CentOS] CentOS 7, Fail2ban and SELinux

Thu Feb 13 13:47:54 UTC 2020
Stephen John Smoogen <smooge at gmail.com>

On Thu, 13 Feb 2020 at 02:42, Nicolas Kovacs <info at microlinux.fr> wrote:

> Hi,
>
> I'm running CentOS 7 on an Internet-facing server. SELinux is in
> permissive
> mode for debugging. I've removed FirewallD and replaced it with a
> custom-made
> Iptables script. I've also installed and configured Fail2ban
> (fail2ban-server
> package) to protect the server from brute force attacks.
>
> Out of the box, Fail2ban doesn't seem to play well with SELinux. Here's
> what I get.
>
> $ sudo sealert -a /var/log/audit/audit.log
> 100% done
> found 5 alerts in /var/log/audit/audit.log
> ------------------------------------------------------------
> SELinux is preventing /usr/bin/python2.7 from read access on the file
> disable.
>
> *****  Plugin catchall (100. confidence) suggests   *****
>
> If you believe that python2.7 should be allowed read access on the disable
> file
> by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
> # semodule -i my-f2bfsshd.pp
> ...
>
> As far as I can tell - and please correct me if I'm wrong - if a package
> doesn't play well with SELinux in the default configuration, this should
> be
> considered as a bug. In that case, the appropriate reaction would be to
> file a
> bug on the EPEL mailing list, since EPEL provides the fail2ban-server
> package.
>
>
The appropriate action would be to file it as a bug in bugzilla.redhat.com.
Posting it to the epel-devel mailing list would probably not get any fix as
most packagers are not on it. (They are also not on the fedora-devel list
either) Whether it gets fixed or not is going to be up to the packager.
EPEL is a volunteer collection where we do not have much man-power to fix
things unless the main Fedora packager is involved.


> Other than that, the solution suggested by sealert seems to work.
>
> $ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
> semodule -i my-f2bfsshd.pp
>
> $ sudo ausearch -c 'f2b/f.sshd' --raw | sudo audit2allow -M my-f2bfsshd
> ******************** IMPORTANT ***********************
> To make this policy package active, execute:
> semodule -i my-f2bfsshd.pp
> $ sudo semodule -i my-f2bfsshd.pp
> $ echo | sudo tee /var/log/audit/audit.log
> $ sudo systemctl restart fail2ban
> $ sudo sealert -a /var/log/audit/audit.log
> 100% done
> found 0 alerts in /var/log/audit/audit.log
>
> Any suggestions ?
>
> Niki
>
> --
> Microlinux - Solutions informatiques durables
> 7, place de l'église - 30730 Montpezat
> Site : https://www.microlinux.fr
> Mail : info at microlinux.fr
> Tél. : 04 66 63 10 32
> Mob. : 06 51 80 12 12
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


-- 
Stephen J Smoogen.