Bug 2083923
| Summary: | SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Garry T. Williams <gtwilliams> |
| Component: | fail2ban | Assignee: | Richard Shaw <hobbes1069> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 36 | CC: | anon.amish, axel.thimm, hobbes1069, orion, vonsch |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | fail2ban-0.11.2-12.fc36 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-27 01:09:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
It looks like this change was made in commit 3f49a1709f7b21b5361a191533a2307e2a1b21d2:
Author: Richard Shaw <hobbes1069>
Date: Sat Dec 25 10:35:01 2021 -0600
Add patches / updates for various fixes:
* Add patch for Python 3.11 compatibilitys, fixes RHBZ#2034205.
* Comment out a few lines in the selinux files that broke building on
EPEL and don't seem to be needed. Fixes RHBZ#2029193.
* Work around 2to3 being removed from Python setuptools.
diff --git a/fail2ban.te b/fail2ban.te
index 92615ca..8cbf7b3 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -45,7 +45,7 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
-allow fail2ban_t fail2ban_log_t:file watch;
+#allow fail2ban_t fail2ban_log_t:file watch;
append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
@@ -100,10 +100,10 @@ logging_read_syslog_pid(fail2ban_t)
logging_dontaudit_search_audit_logs(fail2ban_t)
logging_mmap_generic_logs(fail2ban_t)
logging_mmap_journal(fail2ban_t)
-logging_watch_audit_log_files(fail2ban_t)
-logging_watch_audit_log_dirs(fail2ban_t)
-logging_watch_generic_log_dirs(fail2ban_t)
-logging_watch_journal_dir(fail2ban_t)
+#logging_watch_audit_log_files(fail2ban_t)
+#logging_watch_audit_log_dirs(fail2ban_t)
+#logging_watch_generic_log_dirs(fail2ban_t)
+#logging_watch_journal_dir(fail2ban_t)
mta_send_mail(fail2ban_t)
logging_watch_generic_log_dirs would have given fail2ban_t watch permissions to var_log_t:
#######################################
## <summary>
## Watch the generic log directory (/var/log).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_watch_generic_log_dirs',`
gen_require(`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir watch_dir_perms;
')
FEDORA-2022-33c51827f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4 That fixed the bug here.
I did:
$ sudo semodule -X 300 -r my-f2bfsshd
...
$ for p in fail2ban-0.11.2-12.fc36.noarch.rpm \
fail2ban-selinux-0.11.2-12.fc36.noarch.rpm \
fail2ban-server-0.11.2-12.fc36.noarch.rpm \
fail2ban-sendmail-0.11.2-12.fc36.noarch.rpm \
fail2ban-firewalld-0.11.2-12.fc36.noarch.rpm ; \
do wget \
https://kojipkgs.fedoraproject.org//packages/fail2ban/0.11.2/12.fc36/noarch/$p;done
...
$ sudo dnf upgrade ./fail2ban-\*
...
$
FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-33c51827f4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |
Description of problem: SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 [ dir ] Source f2b/f.sshd Source Path f2b/f.sshd Port <Unknown> Host gtw Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.8-1.fc36.noarch Local Policy RPM fail2ban-selinux-0.11.2-11.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name gtw Platform Linux gtw 5.17.5-300.fc36.x86_64 #1 SMP PREEMPT Thu Apr 28 15:51:30 UTC 2022 x86_64 x86_64 Alert Count 2 First Seen 2022-05-10 16:01:42 EDT Last Seen 2022-05-10 16:01:42 EDT Local ID 8030e5bb-553d-408f-b834-1f1ac7d1a905 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Reboot after upgrade to f36 2. 3. Actual results: Expected results: Additional info: I did this: If you believe that f.sshd should be allowed watch access on the e1b76908437a478ca7e08da051a8d3b3 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd # semodule -X 300 -i my-f2bfsshd.pp