Bug 1777562
Summary: | Update to fail2ban 0.10.4 requires adaption of SELinux policy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Robert Scheck <redhat-bugzilla> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.7 | CC: | lvrabec, mmalik, orion, plautrba, prasun.gera, rmullett, robert.scheck, ssekidde, vmojzis, zpytela |
Target Milestone: | rc | Keywords: | Patch, Reopened |
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-12-10 17:20:35 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Robert Scheck
2019-11-27 20:17:06 UTC
Cross-filed ticket 02529186 at the Red Hat customer portal. Lukas - perhaps time to move the SELinux config into the fail2ban package? There are a number of other fail2ban SELinux issues on EL. I guess one complication - the standard SELinux requires uses rich dependencies which is not supported on EL7: Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) so I'm not sure what would be the best way to proceed. This moves the current policy into the fail2ban package: https://src.fedoraproject.org/rpms/fail2ban/pull-request/2 Hi Orion, Thank you very much for the PR. Let's deliver this in Fedora and RHEL-8. For RHEL-7 let's keep it in selinux-policy. Thanks, Lukas. This issue was not selected to be included in Red Hat Enterprise Linux 7 because it is seen either as low or moderate impact to a small number of use-cases. Current minor release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. Lukas - do you have a suggestion for the way forward here on EL7? The SELinux IndependentPolicy guidelines use conditional dependencies that do not work in EL7. @Vito, Do we have a way to deliver fail2ban policy in EL7? I am seeing these denials too along with other SELinux issues on RHEL 7. If there is an overall decision to update the selinux-policy package in RHEL 7, I would appreciate it. For instance, this is another bug that is affected by selinux-policy (https://bugzilla.redhat.com/show_bug.cgi?id=1657549). (In reply to Lukas Vrabec from comment #15) > @Vito, > > Do we have a way to deliver fail2ban policy in EL7? You can use unconditional "Requires: selinux-policy-targeted". It's not ideal (the policy and the whole selinux userspace would be pulled as a dependency even into containers or other systems that do not use SELinux), but it works (it was the preferred method before conditional "requires" became available). |