1943696 – SELinux is preventing f2b/f.dropbear from 'watch' accesses on the dossier /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1943696 - SELinux is preventing f2b/f.dropbear from 'watch' accesses on the dossier /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b.

Summary: SELinux is preventing f2b/f.dropbear from 'watch' accesses on the dossier /va...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fail2ban
Sub Component:
Version:	34
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Richard Shaw
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:b8f50c74f444045c703736e6e66...
Duplicates (7):	1943785 1953321 1953322 1953323 1953324 1953325 1965444 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-03-26 20:11 UTC by Nicolas Berrehouc
Modified:	2023-09-12 03:55 UTC (History)
CC List:	18 users (show)
Fixed In Version:	fail2ban-0.11.2-6.fc34
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-06-15 01:04:44 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nicolas Berrehouc 2021-03-26 20:11:44 UTC

Description of problem:
After upgrading from F33 to F34 Beta
SELinux is preventing f2b/f.dropbear from 'watch' accesses on the dossier /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b.

*****  Plugin catchall (100. confidence) suggests   **************************

Si vous pensez que f.dropbear devrait être autorisé à accéder watch sur ec1f2eff01f44aa2bebe5f6230eac47b directory par défaut.
Then vous devriez rapporter ceci en tant qu'anomalie.
Vous pouvez générer un module de stratégie local pour autoriser cet accès.
Do
autoriser cet accès pour le moment en exécutant :
# ausearch -c "f2b/f.dropbear" --raw | audit2allow -M my-f2bfdropbear
# semodule -X 300 -i my-f2bfdropbear.pp

Additional Information:
Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b
                              [ dir ]
Source                        f2b/f.dropbear
Source Path                   f2b/f.dropbear
Port                          <Inconnu>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-3.14.7-27.fc34.noarch
Local Policy RPM              selinux-policy-targeted-3.14.7-27.fc34.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 5.11.9-300.fc34.x86_64 #1 SMP Wed
                              Mar 24 12:06:51 UTC 2021 x86_64 x86_64
Alert Count                   2
First Seen                    2021-03-26 21:05:38 CET
Last Seen                     2021-03-26 21:05:38 CET
Local ID                      716f7a76-7c19-47b9-86fc-9087dcda3799

Raw Audit Messages
type=AVC msg=audit(1616789138.913:525): avc:  denied  { watch } for  pid=814 comm="f2b/f.dropbear" path="/var/log/journal/ec1f2eff01f44aa2bebe5f6230eac47b" dev="sda2" ino=168932 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0


Hash: f2b/f.dropbear,fail2ban_t,var_log_t,dir,watch

Version-Release number of selected component:
selinux-policy-targeted-3.14.7-27.fc34.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.14.0
hashmarkername: setroubleshoot
kernel:         5.11.9-300.fc34.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2021-03-31 19:11:38 UTC

*** Bug 1943785 has been marked as a duplicate of this bug. ***

Comment 2 Zdenek Pytela 2021-04-12 18:07:04 UTC

Switching the component as fail2ban ships its custom policy module.

This interface call needs to be added for f34 and later builds:

optional_policy(`
\tlogging_watch_generic_log_dirs(fail2ban_t)
')

Comment 3 Richard Shaw 2021-04-12 18:55:40 UTC

$DAYJOB is killing me right now. Could you provide the update in the form of a patch? Or even better a PR on Rawhide and I'll merge down to F34.

Comment 4 Zdenek Pytela 2021-04-12 19:12:23 UTC

Richard,

No problem with the PR. I would have already done it, I had actualy cloned https://github.com/fail2ban/fail2ban.git before, withou success, but the selinux policy files seem to be in https://src.fedoraproject.org/rpms/fail2ban/tree/rawhide, right?

Comment 5 Richard Shaw 2021-04-29 12:15:44 UTC

Yes, sorry I meant to get back to this and now I have several BZs for this, dang it.

https://src.fedoraproject.org/rpms/fail2ban/blob/rawhide/f/fail2ban.if

Comment 6 Zdenek Pytela 2021-05-26 15:47:22 UTC

This is a list of requested permissions from the dup bzs:

allow fail2ban_t auditd_log_t:dir watch;
allow fail2ban_t auditd_log_t:file watch;
allow fail2ban_t fail2ban_log_t:file watch;
allow fail2ban_t syslogd_var_run_t:dir watch;
allow fail2ban_t var_log_t:dir watch;

Richard, if you still can't get to these, I will suggest the solution soon.

Comment 7 Zdenek Pytela 2021-05-26 15:47:37 UTC

*** Bug 1953321 has been marked as a duplicate of this bug. ***

Comment 8 Zdenek Pytela 2021-05-26 15:47:57 UTC

*** Bug 1953322 has been marked as a duplicate of this bug. ***

Comment 9 Zdenek Pytela 2021-05-26 15:48:07 UTC

*** Bug 1953323 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2021-05-26 15:48:14 UTC

*** Bug 1953324 has been marked as a duplicate of this bug. ***

Comment 11 Zdenek Pytela 2021-05-26 15:48:22 UTC

*** Bug 1953325 has been marked as a duplicate of this bug. ***

Comment 12 Zdenek Pytela 2021-05-27 07:35:06 UTC

I've submitted a Fedora PR to address the issue:
https://github.com/fedora-selinux/selinux-policy/pull/755

There needs to be an interface added to selinux-policy, the other commit can be then backported to fail2ban.

Comment 13 Richard Shaw 2021-05-27 11:41:40 UTC

So for now I should pull those changes into the fail2ban policy? But once your PR makes it into an update I won't need it anymore?

Comment 14 Richard Shaw 2021-05-28 12:27:18 UTC

*** Bug 1965444 has been marked as a duplicate of this bug. ***

Comment 15 Fedora Update System 2021-06-06 13:00:19 UTC

FEDORA-2021-0f39cb8d2e has been submitted as an update to Fedora 34. https://bodhi.fedoraproject.org/updates/FEDORA-2021-0f39cb8d2e

Comment 16 Fedora Update System 2021-06-07 01:29:34 UTC

FEDORA-2021-0f39cb8d2e has been pushed to the Fedora 34 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-0f39cb8d2e`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-0f39cb8d2e

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 17 Paul Howarth 2021-06-10 12:22:17 UTC

After installing the update I still get these:

type=AVC msg=audit(1623327223.709:6536): avc:  denied  { watch } for  pid=118968 comm="fail2ban-server" path="/var/log/secure" dev="dm-0" ino=662190 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
type=AVC msg=audit(1623327223.713:6537): avc:  denied  { watch } for  pid=118968 comm="fail2ban-server" path="/var/log/httpd" dev="dm-0" ino=658553 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1623327223.713:6538): avc:  denied  { watch } for  pid=118968 comm="fail2ban-server" path="/var/log/httpd/access_log" dev="dm-0" ino=662142 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0

These come from local configs that detect brute-force attacks on a webapp and my dovecot IMAP server. I imagine many users may have similar configurations.

Comment 18 Richard Shaw 2021-06-11 13:25:20 UTC

Zdenek, does the SELinux policy update that got merged address Paul's issues?

Comment 19 Zdenek Pytela 2021-06-11 15:07:20 UTC

I've just sent a PR to backport the change to f2b distgit:
https://src.fedoraproject.org/rpms/fail2ban/pull-request/3

Note selinux-policy-34.9-1 or newer is required, the build dependency may also be added to the specfile.

Since fail2ban ships its own policy of the same name, but installed with higher priority, the fix actually only needs to be applied there (see #c12).

Also sorry I've mistakenly set this bz resolved by selinux-policy update which is not true, just a prerequisite.

Comment 20 Paul Howarth 2021-06-11 15:12:54 UTC

I'm using fail2ban-0.11.2-6.fc34 from updates-testing and that fixed lots of issues but left the ones from Comment #17.

Also selinux-policy-34.11-1.fc34.

I worked around the issues using local policy but these look rather over-permissive for what fail2ban needs:

apache_manage_log(fail2ban_t)
logging_manage_generic_logs(fail2ban_t)

Comment 21 Zdenek Pytela 2021-06-11 21:34:11 UTC

(In reply to Paul Howarth from comment #17)
> After installing the update I still get these:
> 
> type=AVC msg=audit(1623327223.709:6536): avc:  denied  { watch } for 
> pid=118968 comm="fail2ban-server" path="/var/log/secure" dev="dm-0"
> ino=662190 scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=0
> type=AVC msg=audit(1623327223.713:6537): avc:  denied  { watch } for 
> pid=118968 comm="fail2ban-server" path="/var/log/httpd" dev="dm-0"
> ino=658553 scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1623327223.713:6538): avc:  denied  { watch } for 
> pid=118968 comm="fail2ban-server" path="/var/log/httpd/access_log"
> dev="dm-0" ino=662142 scontext=system_u:system_r:fail2ban_t:s0
> tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=0
> 
> These come from local configs that detect brute-force attacks on a webapp
> and my dovecot IMAP server. I imagine many users may have similar
> configurations.
Paul,
I am sorry, I haven't noticed the additional comments.

(In reply to Richard Shaw from comment #18)
> Zdenek, does the SELinux policy update that got merged address Paul's issues?
Richard,
I'd leave it up to your decision: IMO /var/log/secure should definitely be allowed, regarding httpd I cannot assess: it can be seen as common configuration or user adjustment, in the latter case we usually suggest to create a local policy.

For the former one, on the other hand, the approach can even be more general, allowing the access to any file and directory with a SELinux type which is a part of the logfile attribute, i. e. to almost all (if not all) log files/dirs.

(In reply to Paul Howarth from comment #20)
> I'm using fail2ban-0.11.2-6.fc34 from updates-testing and that fixed lots of
> issues but left the ones from Comment #17.
> 
> Also selinux-policy-34.11-1.fc34.
> 
> I worked around the issues using local policy but these look rather
> over-permissive for what fail2ban needs:
> 
> apache_manage_log(fail2ban_t)
> logging_manage_generic_logs(fail2ban_t)
You are right: as a workaround it is acceptable, but it is overpermissive.

Comment 22 Fedora Update System 2021-06-15 01:04:44 UTC

FEDORA-2021-0f39cb8d2e has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 23 Red Hat Bugzilla 2023-09-12 03:55:01 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.