search for: fail2ban_t

I am seeing these in the log of one of our off-site NX hosts running CentOS-6.6. type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. SELinux is preventing /sbin/iptables-multi-1.4.7 from search...

On Mon, January 19, 2015 11:50, James B. Byrne wrote: > I am seeing these in the log of one of our off-site NX hosts running > CentOS-6.6. > > type=AVC msg=audit(1421683972.786:4372): avc: denied { create } for > pid=22788 comm="iptables" scontext=system_u:system_r:fail2ban_t:s0 > tcontext=system_u:system_r:fail2ban_t:s0 tclass=rawip_socket > Was caused by: > Missing type enforcement (TE) allow rule. > > You can use audit2allow to generate a loadable module > to allow this access. > > SELinux is preventing...

...d=1777562 > We're a bit stalled at the moment I'm afradi > Finally had some time to look into this. Happy to say fail2ban now appears to be working. 1. I found that reading the CentOS web site about SElinux was helpful and this led me to issue the following: semanage permissive -a fail2ban_t this places just fail2ban requests (got the context from the scontext part of the SElinux error message) into permissive mode rather than the entire OS. 2. Then a look into the SElinux troubleshooter gave me the errors that were occurring and following the suggested instructions I created a m...

...arch -c 'f2b/server' --raw | sudo audit2allow -M my-f2bserver > $ sudo semodule -i my-f2bserver.pp > > I'm not sure with SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1777562 This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy you need is: allow fail2ban_t sysfs_t:file { getattr open read }; allow fail2ban_t sysctl_net_t:dir { search }; allow fail2ban_t sysctl_net_t:file { getattr open read }; Honestly, if this really affects all users of fail2ban, I?ll probably push back on the ticket to get it updated. I?ve successfully had the policy updated to...

...il2ban. After several iterations with fail2ban restart, ausearch and audit2allow like this: ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon I came up with a SELinux module like that: module f2b-addon 1.0; require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search; #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:file { getattr o...

...using fail2ban with the -firewalld and -systemd modules, and I had to setup some SELinux rules to make it working right. This is the policy I add to the CentOS 7 machines: module fail2ban-journal-sepol-new 1.0; require { type fail2ban_client_exec_t; type logrotate_t; type fail2ban_t; type syslogd_var_run_t; class dir read; class file { ioctl read execute execute_no_trans open getattr }; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t syslogd_var_run_t:dir read; #!!!! This avc is allowed in t...

...audit2allow -M my-f2bserver > > $ sudo semodule -i my-f2bserver.pp > > > > I'm not sure with SELinux. > > https://bugzilla.redhat.com/show_bug.cgi?id=1777562 > This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy > you need is: > > allow fail2ban_t sysfs_t:file { getattr open read }; > allow fail2ban_t sysctl_net_t:dir { search }; > allow fail2ban_t sysctl_net_t:file { getattr open read }; > Honestly, if this really affects all users of fail2ban, I?ll probably push > back on the ticket to get it updated. I?ve successfully had the...

On Mon, March 9, 2015 13:11, John Plemons wrote: > Been working on fail2ban, and trying to make it work with plain Jane > install of Centos 7 > > Machine is a HP running 2 Quad core Xeons, 16 gig or ram and 1 plus TB > of disk space. Very generic and vanilla. > > Current available epel repo version is fail2ban-0.9.1 > > Looking at the log file, fail2ban starts and stops

...n.jail [8545]: INFO Jail 'openvpn' started [...] BUT: SELinux complains about fail2ban: type=AVC msg=audit(1586413496.76:53507): avc: denied { read } for pid=1324 comm="f2b/f.apache" name="disable" dev="sysfs" ino=1481 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 So it seems somehow fail2ban does not add the required ip sets correctly. From what I see in firewalld logfile it seems these problems started after the last updates on April 2nd. On this day I did a "yum update" which e...

...at the moment I'm afradi >> > Finally had some time to look into this. Happy to say fail2ban now > appears to be working. > > 1. I found that reading the CentOS web site about SElinux was helpful > and this led me to issue the following: > > semanage permissive -a fail2ban_t > > this places just fail2ban requests (got the context from the scontext > part of the SElinux error message) into permissive mode rather than the > entire OS. > > 2. Then a look into the SElinux troubleshooter gave me the errors that > were occurring and following the su...

Hi, Some time ago I had SELinux problems with Fail2ban. One of the users on this list suggested that it might be due to the fact that I'm using a bone-headed iptables script instead of FirewallD. I've spent the past few weeks getting up to date with doing things in a more orthodox manner. So currently my internet-facing CentOS server has a nicely configured NetworkManager, and