Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2100820 - Selinux no access to journal from f2b/f.sshd
Summary: Selinux no access to journal from f2b/f.sshd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-24 11:11 UTC by Steve Traylen
Modified: 2023-04-10 00:42 UTC (History)
6 users (show)

Fixed In Version: fail2ban-1.0.2-3.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-04-10 00:42:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Steve Traylen 2022-06-24 11:11:41 UTC
type=AVC msg=audit(1656066390.060:54): avc:  denied  { watch } for  pid=7957 comm="f2b/f.sshd" path="/run/log/journal/488cebb3cf46439fb26be4638cad344d" dev="tmpfs" ino=59 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

Comment 1 Steve Traylen 2022-06-24 13:12:36 UTC
Another one that only occurs on startup as well.

```
type=AVC msg=audit(1656075020.194:1363373): avc:  denied  { execmem } for  pid=409029 comm="grep" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=process permissive=0

        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.                                                                            

                Possible mismatch between current in-memory boolean settings vs. permanent ones.           
```

with the following .te file fail2ban is now working again on CentOS Stream 9.


fail2ban-server-0.11.2-12.el9.noarch

module fail2ban-syslog 1.1;

require {
        type syslogd_var_run_t;
        type fail2ban_t;
        class dir watch;
        class process execmem;
}

#============= fail2ban_t ==============
allow fail2ban_t self:process execmem;
allow fail2ban_t syslogd_var_run_t:dir watch;

Comment 2 Orion Poplawski 2023-03-29 23:58:26 UTC
There is a bug in the current fail2ban-server packaging where it doesn't bring in the fail2ban-selinux package.  If you install that, things should be better.  I'll try to get an update out soon.

Comment 3 Fedora Update System 2023-04-01 14:44:04 UTC
FEDORA-EPEL-2023-07bf30a1f1 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-07bf30a1f1

Comment 4 Fedora Update System 2023-04-02 02:51:01 UTC
FEDORA-EPEL-2023-07bf30a1f1 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-07bf30a1f1

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2023-04-10 00:42:29 UTC
FEDORA-EPEL-2023-07bf30a1f1 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.