Re: Need SELinux help for fail2ban!

"/run/fail2ban(/.*)?" is usually how it is done, so I was wondering if restorecon didn't like current form for some reason. However, as you mentioned in the other email, it works on a fresh system, so this is not the problem. On 5/4/24 14:58, Richard Shaw wrote: On Sat, May 4, 2024 at 4:49 PM

Re: Need SELinux help for fail2ban!

I don't think the problem is the "fc" file, but the fact that the file in /run/fail2ban didn't get relabeled when the users updated, or the selinux subpackage didn't get updated at all. That explains why it works on a fresh system. The specificity of "/run/fail2ban(/.*)?" is better and safer,

Re: Need SELinux help for fail2ban!

I'm trying to reproduce the problem on the Fedora rawhide test machine but it's running without error! $ sudo systemctl status fail2ban.service ● fail2ban.service - Fail2Ban Service Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; preset: disabled) Drop-In:

Re: Need SELinux help for fail2ban!

On 5/4/24 2:58 PM, Richard Shaw wrote: On Sat, May 4, 2024 at 4:49 PM Carlos Rodriguez-Fernandez mailto:carlosrodrifernan...@gmail.com>> wrote: The suggestion for one of the comments of using `/run/fail2ban(/.*)?` instead of `/run/fail2ban.*` doesn't work? I try to be very careful

Re: Need SELinux help for fail2ban!

On Sat, May 4, 2024 at 4:49 PM Carlos Rodriguez-Fernandez < carlosrodrifernan...@gmail.com> wrote: > The suggestion for one of the comments of using `/run/fail2ban(/.*)?` > instead of `/run/fail2ban.*` doesn't work? > I try to be very careful with making changes in SELinux and I don't know what

Re: Need SELinux help for fail2ban!

The suggestion for one of the comments of using `/run/fail2ban(/.*)?` instead of `/run/fail2ban.*` doesn't work? On 5/4/24 13:05, Richard Shaw wrote: I still don't understand SELinux and would appreciate an assist! fail2ban-server is unable to create the socket file

Re: Need SELinux help for fail2ban!

On 5/4/24 1:05 PM, Richard Shaw wrote: I still don't understand SELinux and would appreciate an assist! fail2ban-server is unable to create the socket file /run/fail2ban/fail2ban.sock There's a lot of custom SELinux policies and I'm unable to figure out what needs to change. I made a PR.

Need SELinux help for fail2ban!

I still don't understand SELinux and would appreciate an assist! fail2ban-server is unable to create the socket file /run/fail2ban/fail2ban.sock There's a lot of custom SELinux policies and I'm unable to figure out what needs to change. https://bugzilla.redhat.com/show_bug.cgi?id=2279054

Re: SELinux help

On 6/26/22 07:54, Richard Shaw wrote: On Sat, Jun 25, 2022 at 6:13 PM Samuel Sieb > wrote: On 6/25/22 06:59, Richard Shaw wrote: > Fail2ban works fine in F35 but now has an SELinux problem in F36[1]... > > While not a SELinux expert I can often

Re: SELinux help

On Sat, Jun 25, 2022 at 6:13 PM Samuel Sieb wrote: > On 6/25/22 06:59, Richard Shaw wrote: > > Fail2ban works fine in F35 but now has an SELinux problem in F36[1]... > > > > While not a SELinux expert I can often reason things out but the > > "unconfined" stuff confuses me. > > > > type=AVC

Re: SELinux help

On 6/25/22 06:59, Richard Shaw wrote: Fail2ban works fine in F35 but now has an SELinux problem in F36[1]... While not a SELinux expert I can often reason things out but the "unconfined" stuff confuses me. type=AVC msg=audit(1655618425.791:3076): avc:  denied  { connectto } for  

Re: fail2ban: need selinux help!

On Tue, May 25, 2021 at 2:01 PM Richard Shaw wrote: > Due to a change in SELinux for Fedora 34 (I can't find the link right > now), the policy for fail2ban needs to be updated[1] but the changes are a > little bit beyond my understanding of SELinux. > > Any help or pointers from an expert? > Hi

fail2ban: need selinux help!

Due to a change in SELinux for Fedora 34 (I can't find the link right now), the policy for fail2ban needs to be updated[1] but the changes are a little bit beyond my understanding of SELinux. Any help or pointers from an expert? Thanks, Richard [1]

Re: Package Review SELinux help

On Monday, 29 June 2020 20:55:45 CEST Daniel Walsh wrote: > On 6/26/20 14:39, Robert-André Mauchin wrote: > > > Hello, > > > > > > > > > > I know next to nothing about SELinux so I'd like some help about the > > Bitcoin Package Review by negativo17: > > > > > > > >

Re: Package Review SELinux help

On Fri, Jun 26, 2020 at 08:39:19PM +0200, Robert-André Mauchin wrote: > Hello, > > > I know next to nothing about SELinux so I'd like some help about the Bitcoin > Package Review by negativo17: > > https://bugzilla.redhat.com/show_bug.cgi?id=1834731 > > Notably: are the bitcoin.{te,fc,if}

Re: Package Review SELinux help

On 6/26/20 14:39, Robert-André Mauchin wrote: > Hello, > > > I know next to nothing about SELinux so I'd like some help about the Bitcoin > Package Review by negativo17: > > https://bugzilla.redhat.com/show_bug.cgi?id=1834731 > > Notably: are the bitcoin.{te,fc,if} files are sane? > Are they

Package Review SELinux help

Hello, I know next to nothing about SELinux so I'd like some help about the Bitcoin Package Review by negativo17: https://bugzilla.redhat.com/show_bug.cgi?id=1834731 Notably: are the bitcoin.{te,fc,if} files are sane? Are they installed properly in the SPEC? Especially these parts: %post

BackupPC SELinux HELP!

I've got a bug report[1] I've been trying to figure out but have not been able to figure it out. I keep re-teaching myself SELinux every time I run into a problem but this one is just too convoluted. For those that don't know BackupPC is perl based (which doesn't application of selinux contexts)

Re: BackupPC selinux help

On 2019-09-04 10:40, Richard Shaw wrote: On Wed, Sep 4, 2019 at 9:36 AM John Florian > wrote: On 2019-08-30 13:51, Richard Shaw wrote: > He's already tried restorecon, changed from a symlink to a bind mount > (for the backup root)... Maybe a

Re: BackupPC selinux help

On Wed, Sep 4, 2019 at 9:36 AM John Florian wrote: > On 2019-08-30 13:51, Richard Shaw wrote: > > He's already tried restorecon, changed from a symlink to a bind mount > > (for the backup root)... > > Maybe a dumb Q, but have you tried doing the same? Maybe it's your host > that's not per

Re: BackupPC selinux help

On 2019-08-30 13:51, Richard Shaw wrote: He's already tried restorecon, changed from a symlink to a bind mount (for the backup root)... Maybe a dumb Q, but have you tried doing the same?  Maybe it's your host that's not per defaults. ___ devel

BackupPC selinux help

I've got a bug report[1] for BackupPC where the user is having issues with AVC denials when browsing hosts. This is actually from my COPR but it's the same SRPM I use for Fedora. There are almost 50k downloads and this is the only report of a problem so I don't think there's a fundamental issue

Re: GCL and SELinux: help requested

On Thu, Nov 23, 2017 at 10:21 AM, Lukas Vrabec wrote: > On 11/23/2017 10:17 AM, Javier Martinez Canillas wrote: >> >> Hello, >> >> On Fri, Oct 20, 2017 at 2:12 PM, Lukas Vrabec wrote: >> >> [snip] >> >>> >>> Hello community, >>> We, as Red Hat SELinux

Re: GCL and SELinux: help requested

On 11/23/2017 10:17 AM, Javier Martinez Canillas wrote: Hello, On Fri, Oct 20, 2017 at 2:12 PM, Lukas Vrabec wrote: [snip] Hello community, We, as Red Hat SELinux team, apologise for recent delays with our answers to your requests and questions related to SELinux. We

Re: GCL and SELinux: help requested

Hello, On Fri, Oct 20, 2017 at 2:12 PM, Lukas Vrabec wrote: [snip] > > Hello community, > We, as Red Hat SELinux team, apologise for recent delays with our answers to > your requests and questions related to SELinux. We have been quite busy last > couple of weeks so we

Re: GCL and SELinux: help requested

On Tue, Oct 24, 2017 at 12:25:14PM +0200, Petr Lautrbach wrote: > On Tue, Oct 24, 2017 at 09:10:32AM +0200, Dominik 'Rathann' Mierzejewski > wrote: > > Hello, Lukas. > > Thanks for this thread. > > > > On Monday, 23 October 2017 at 17:50, Lukas Vrabec wrote: > > > On 10/21/2017 08:48 PM, Kevin

Re: GCL and SELinux: help requested

On Tue, Oct 24, 2017 at 09:10:32AM +0200, Dominik 'Rathann' Mierzejewski wrote: > Hello, Lukas. > Thanks for this thread. > > On Monday, 23 October 2017 at 17:50, Lukas Vrabec wrote: > > On 10/21/2017 08:48 PM, Kevin Fenzi wrote: > [...] > > > Also, perhaps it would make sense to move to a more

Re: GCL and SELinux: help requested

Hello, Lukas. Thanks for this thread. On Monday, 23 October 2017 at 17:50, Lukas Vrabec wrote: > On 10/21/2017 08:48 PM, Kevin Fenzi wrote: [...] > > Also, perhaps it would make sense to move to a more normal looking > > release flow instead of a massive patch? I think that might make it > >

Re: GCL and SELinux: help requested

On 10/21/2017 08:48 PM, Kevin Fenzi wrote: On 10/20/2017 05:12 AM, Lukas Vrabec wrote: Hello community, Hey Lukas. Thanks for chiming in here. We, as Red Hat SELinux team, apologise for recent delays with our answers to your requests and questions related to SELinux. We have been quite

Re: GCL and SELinux: help requested

On 10/20/2017 05:12 AM, Lukas Vrabec wrote: > Hello community, Hey Lukas. Thanks for chiming in here. > We, as Red Hat SELinux team, apologise for recent delays with our > answers to your requests and questions related to SELinux. We have been > quite busy last couple of weeks so we decided to

Re: GCL and SELinux: help requested

On 10/13/2017 11:07 PM, Jerry James wrote: On Sat, Oct 7, 2017 at 9:34 AM, Jerry James wrote: I don't believe that anybody looks at those pull requests on a regular basis. Should somebody be doing so? There are 8 pull requests, dating back to about the time of the above

Re: GCL and SELinux: help requested

On Mon, Oct 16, 2017 at 12:04:58PM -0700, Japheth Cleaver wrote: > On 10/13/2017 2:41 PM, Richard W.M. Jones wrote: > >On Fri, Oct 13, 2017 at 03:07:05PM -0600, Jerry James wrote: > >>But that's not the end of the fun. GCL failed the mass rebuild this > >>summer. It built successfully on every

Re: GCL and SELinux: help requested

On 10/16/2017 09:04 PM, Japheth Cleaver wrote: On 10/13/2017 2:41 PM, Richard W.M. Jones wrote: On Fri, Oct 13, 2017 at 03:07:05PM -0600, Jerry James wrote: But that's not the end of the fun.  GCL failed the mass rebuild this summer.  It built successfully on every architecture but s390x.  On

Re: GCL and SELinux: help requested

On 10/13/2017 2:41 PM, Richard W.M. Jones wrote: On Fri, Oct 13, 2017 at 03:07:05PM -0600, Jerry James wrote: But that's not the end of the fun. GCL failed the mass rebuild this summer. It built successfully on every architecture but s390x. On s390x, the build failed due to a failed call to

Re: GCL and SELinux: help requested

> On Fri, 2017-10-13 at 14:53 -0700, Kevin Fenzi wrote: > > I don't know. Others have expressed frustration with selinux policy > > maintainers of late as well. It's really hard to say what the trouble > > is... are there to few of them? Overtasked with other work? Workflow too > > difficult?

Re: GCL and SELinux: help requested

On 14 Oct 2017 12:08 am, "Adam Williamson" wrote: On Fri, 2017-10-13 at 15:58 -0700, Kevin Fenzi wrote: > On 10/13/2017 03:00 PM, Adam Williamson wrote: > > On Fri, 2017-10-13 at 14:53 -0700, Kevin Fenzi wrote: > > > It's really hard to say what the trouble > > >

Re: GCL and SELinux: help requested

On Fri, 2017-10-13 at 15:58 -0700, Kevin Fenzi wrote: > On 10/13/2017 03:00 PM, Adam Williamson wrote: > > On Fri, 2017-10-13 at 14:53 -0700, Kevin Fenzi wrote: > > > It's really hard to say what the trouble > > > is... are there to few of them? Overtasked with other work? Workflow too > > >

Re: GCL and SELinux: help requested

On 10/13/2017 03:00 PM, Adam Williamson wrote: > On Fri, 2017-10-13 at 14:53 -0700, Kevin Fenzi wrote: >> It's really hard to say what the trouble >> is... are there to few of them? Overtasked with other work? Workflow too >> difficult? > > AFAIK it's basically just lvrabec at the moment, and I

Re: GCL and SELinux: help requested

On Fri, 2017-10-13 at 14:53 -0700, Kevin Fenzi wrote: > It's really hard to say what the trouble > is... are there to few of them? Overtasked with other work? Workflow too > difficult? AFAIK it's basically just lvrabec at the moment, and I think the 'map' permission issues that showed up this

Re: GCL and SELinux: help requested

On 10/13/2017 02:07 PM, Jerry James wrote: > On Sat, Oct 7, 2017 at 9:34 AM, Jerry James wrote: ...snip... > But that's not the end of the fun. GCL failed the mass rebuild this > summer. It built successfully on every architecture but s390x. On > s390x, the build failed

Re: GCL and SELinux: help requested

On 10/13/2017 11:07 PM, Jerry James wrote: But that's not the end of the fun. GCL failed the mass rebuild this summer. It built successfully on every architecture but s390x. On s390x, the build failed due to a failed call to mprotect(), almost certainly a sign that SELinux was in enforcing

Re: GCL and SELinux: help requested

On Fri, Oct 13, 2017 at 03:07:05PM -0600, Jerry James wrote: > But that's not the end of the fun. GCL failed the mass rebuild this > summer. It built successfully on every architecture but s390x. On > s390x, the build failed due to a failed call to mprotect(), almost > certainly a sign that

GCL and SELinux: help requested

On Sat, Oct 7, 2017 at 9:34 AM, Jerry James wrote: > I don't believe that anybody looks at those pull requests on a regular > basis. Should somebody be doing so? There are 8 pull requests, > dating back to about the time of the above conversation. Five of > those don't