On Wed, 26 Feb 2020 at 07:06, Nicolas Kovacs <[email protected]> wrote:
> Hi, > > I have an Internet-facing server running CentOS 7. I just installed > Fail2ban > using the following packages: > > * fail2ban-server > * fail2ban-firewalld > > For the record, IPv6 is disabled on this server. > > Here's the SELinux error I get. > > ------------------------------------------------------------ > SELinux is preventing /usr/bin/python2.7 from read access on the file > disable. > > ***** Plugin catchall (100. confidence) suggests ***** > > If you believe that python2.7 should be allowed read access on the disable > file > by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'f2b/server' --raw | audit2allow -M my-f2bserver > # semodule -i my-f2bserver.pp > ------------------------------------------------------------ > > Weirdly enough, when I follow this suggestion, generate the module and > then > empty audit.log and restart my server, I still get the exact same error > again. > > Which makes Fail2ban unusable with SELinux in enforcing mode in the > current state > I would open a bug on this so that the maintainer knows about it. They may not be on this list or may filter it to the 'read once a year' bucket. Second, I would check to see what the audit2allow policy came up with and if the files it is alerting on have the appropriate labeling. I spent a day doing this with Nagios and then realized the file problem was that nrpe wanted to do something and hte file was labeled in a 'group' that neither nagios or nrpe had selinux perms to do with. > Cheers from the sunny South of France, > > Niki Kovacs > > -- > Microlinux - Solutions informatiques durables > 7, place de l'église - 30730 Montpezat > Site : https://www.microlinux.fr > Mail : [email protected] > Tél. : 04 66 63 10 32 > Mob. : 06 51 80 12 12 > _______________________________________________ > epel-devel mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > -- Stephen J Smoogen.
_______________________________________________ epel-devel mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
