> On Feb 13, 2020, at 9:01 AM, Jonathan Billings <billings at negate.org> wrote: > > On Thu, Feb 13, 2020 at 08:42:29AM +0100, Nicolas Kovacs wrote: >> I'm running CentOS 7 on an Internet-facing server. SELinux is in permissive >> mode for debugging. I've removed FirewallD and replaced it with a >> custom-made Iptables script. I've also installed and configured Fail2ban >> (fail2ban-server package) to protect the server from brute force attacks. >> [...] >> As far as I can tell - and please correct me if I'm wrong - if a package >> doesn't play well with SELinux in the default configuration, this should be >> considered as a bug. In that case, the appropriate reaction would be to file >> a bug on the EPEL mailing list, since EPEL provides the fail2ban-server >> package. > > In your case, you are not using fail2ban in any sort of default > configuration. Firewalld is the default firewall management in CentOS > 7. fail2ban was set up to use firewalld, and in fact, is much more > efficient than using iptables since the fail2ban-firewalld package > uses ipsets instead of individual iptables rules. > >> SELinux is preventing /usr/bin/python2.7 from read access on the file disable. > > You mention the file 'disable' but I'm not aware of a file called > 'disable' in the fail2ban-server package. What file is it trying to > read from? Perhaps you've put a file someplace that has a label that > makes sense for fail2ban to not be able to read from? This bug (CLOSED WONTFIX) appears to be relevant: https://bugzilla.redhat.com/show_bug.cgi?id=1777562 The 'disable' file is /sys/module/ipv6/parameters/disable. Bez Thomas