Bug 2083923
Summary: | SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Garry T. Williams <gtwilliams> |
Component: | fail2ban | Assignee: | Richard Shaw <hobbes1069> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 36 | CC: | anon.amish, axel.thimm, hobbes1069, orion, vonsch |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | fail2ban-0.11.2-12.fc36 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2022-05-27 01:09:00 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Garry T. Williams
2022-05-11 03:28:27 UTC
It looks like this change was made in commit 3f49a1709f7b21b5361a191533a2307e2a1b21d2: Author: Richard Shaw <hobbes1069> Date: Sat Dec 25 10:35:01 2021 -0600 Add patches / updates for various fixes: * Add patch for Python 3.11 compatibilitys, fixes RHBZ#2034205. * Comment out a few lines in the selinux files that broke building on EPEL and don't seem to be needed. Fixes RHBZ#2029193. * Work around 2to3 being removed from Python setuptools. diff --git a/fail2ban.te b/fail2ban.te index 92615ca..8cbf7b3 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -45,7 +45,7 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; +#allow fail2ban_t fail2ban_log_t:file watch; append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) @@ -100,10 +100,10 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -logging_watch_audit_log_files(fail2ban_t) -logging_watch_audit_log_dirs(fail2ban_t) -logging_watch_generic_log_dirs(fail2ban_t) -logging_watch_journal_dir(fail2ban_t) +#logging_watch_audit_log_files(fail2ban_t) +#logging_watch_audit_log_dirs(fail2ban_t) +#logging_watch_generic_log_dirs(fail2ban_t) +#logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) logging_watch_generic_log_dirs would have given fail2ban_t watch permissions to var_log_t: ####################################### ## <summary> ## Watch the generic log directory (/var/log). ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`logging_watch_generic_log_dirs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir watch_dir_perms; ') FEDORA-2022-33c51827f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4 That fixed the bug here. I did: $ sudo semodule -X 300 -r my-f2bfsshd ... $ for p in fail2ban-0.11.2-12.fc36.noarch.rpm \ fail2ban-selinux-0.11.2-12.fc36.noarch.rpm \ fail2ban-server-0.11.2-12.fc36.noarch.rpm \ fail2ban-sendmail-0.11.2-12.fc36.noarch.rpm \ fail2ban-firewalld-0.11.2-12.fc36.noarch.rpm ; \ do wget \ https://kojipkgs.fedoraproject.org//packages/fail2ban/0.11.2/12.fc36/noarch/$p;done ... $ sudo dnf upgrade ./fail2ban-\* ... $ FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-33c51827f4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report. |