search for: sysctl_net_t

...rver > $ sudo semodule -i my-f2bserver.pp > > I'm not sure with SELinux. https://bugzilla.redhat.com/show_bug.cgi?id=1777562 This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy you need is: allow fail2ban_t sysfs_t:file { getattr open read }; allow fail2ban_t sysctl_net_t:dir { search }; allow fail2ban_t sysctl_net_t:file { getattr open read }; Honestly, if this really affects all users of fail2ban, I?ll probably push back on the ticket to get it updated. I?ve successfully had the policy updated to handle issues with popular non-RHEL/CentOS packages. -- Jonathan...

...s like something changed regarding selinux and fail2ban. After several iterations with fail2ban restart, ausearch and audit2allow like this: ausearch -c 'f2b/server' --raw | audit2allow -M f2b-addon I came up with a SELinux module like that: module f2b-addon 1.0; require { type sysctl_net_t; type sysfs_t; type fail2ban_t; class file { getattr open read }; class dir search; } #============= fail2ban_t ============== #!!!! This avc is allowed in the current policy allow fail2ban_t sysctl_net_t:dir search; #!!!! This avc is allowed in the current policy...

On 13/04/20 1:30 pm, Orion Poplawski wrote: > On 4/9/20 6:31 AM, Andreas Haumer wrote: > ... >> I'm neither a fail2ban nor a SELinux expert, but it seems the >> standard fail2ban SELinux policy as provided by CentOS 7 is not >> sufficient anymore and the recent updates did not correctly >> update the required SELinux policies. >> >> I could report this

...scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:var_lib_t tclass=file type=AVC msg=audit(1120675556.084:95462): avc: denied { write } for pid=2641 comm="ip" name="flush" dev=proc ino=-268435296 scontext=system_u:system_r:ifconfig_t tcontext=system_u:object_r:sysctl_net_t tclass=file type=PATH msg=audit(1120675555.879:90329): item=0 name="/sbin/ip" type=AVC_PATH msg=audit(1120675555.879:90329): path="/tmp/shorewall.Gh1879/providers" type=AVC msg=audit(1120675555.879:90329): avc: denied { read } for pid=2588 comm="ip" name="pro...

....pp > > > > I'm not sure with SELinux. > > https://bugzilla.redhat.com/show_bug.cgi?id=1777562 > This bug was posted earlier. Sadly, it was closed WONTFIX, but the policy > you need is: > > allow fail2ban_t sysfs_t:file { getattr open read }; > allow fail2ban_t sysctl_net_t:dir { search }; > allow fail2ban_t sysctl_net_t:file { getattr open read }; > Honestly, if this really affects all users of fail2ban, I?ll probably push > back on the ticket to get it updated. I?ve successfully had the policy > updated to handle issues with popular non-RHEL/CentOS packa...

Hi, Some time ago I had SELinux problems with Fail2ban. One of the users on this list suggested that it might be due to the fact that I'm using a bone-headed iptables script instead of FirewallD. I've spent the past few weeks getting up to date with doing things in a more orthodox manner. So currently my internet-facing CentOS server has a nicely configured NetworkManager, and

Hi! I have a server running CentOS 7.7 (1908) with all current patches installed. I think this server should be a quite standard installation with no specialities On this server I have fail2ban with an apache and openvpn configuration. I'm using firewalld to manage the firewall rules. Fail2an is configured to use firewalld: [root at server ~]# ll /etc/fail2ban/jail.d/ insgesamt 12

CentOS 7.5, and on one system, I'm getting: setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from read access on the file disable_ipv6 ll -Z shows -rw-r--r--. root root system_u:object_r:sysctl_net_t:s0 /proc/sys/net/ipv6/conf/all/disable_ipv6 I find this peculiar. Anyone have a resolution, or is this a bug? mark