fail2ban is a program which watches logs and modifies firewall rules when it finds things like multiple ssh login failures from an address. When it does this, it can send an email to the system administrator. It is common for these emails to include relevant log entries, which it extracts by shelling out: When you have a syslog daemon running, it can just grep /var/log/messages, which works fine. But if you want it to extract those messages from the journal, it needs to call journalctl. This is not the default in Fedora, though it would be nice if it could be. The problem is that fail2ban_t can't call journalctl: time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.605:2851776): avc: denied { getattr } for pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.605:2851777): avc: denied { execute } for pid=23673 comm="sh" name="journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.606:2851778): avc: denied { read } for pid=23673 comm="sh" name="journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.606:2851779): avc: denied { open } for pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.606:2851780): avc: denied { execute_no_trans } for pid=23673 comm="sh" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.606:2851781): avc: denied { map } for pid=23673 comm="journalctl" path="/usr/bin/journalctl" dev="dm-0" ino=4560324 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:journalctl_exec_t:s0 tclass=file permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.627:2851782): avc: denied { sys_resource } for pid=23673 comm="journalctl" capability=24 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=1 ---- time->Thu Mar 14 19:02:19 2019 type=AVC msg=audit(1552608139.627:2851783): avc: denied { setrlimit } for pid=23673 comm="journalctl" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=process permissive=1
PR created: https://github.com/fedora-selinux/selinux-policy-contrib/pull/91
commit ccc5bcdeddfaf3b486b22ee1b20441b66840aec6 (HEAD -> rawhide, origin/rawhide, origin/HEAD) Author: Zdenek Pytela <zpytela> Date: Fri Mar 15 09:49:14 2019 +0100 Allow fail2ban execute journalctl BZ(1689034) Allow fail2ban_t execute journalctl_exec_t. Allow fail2ban_t setrlimit and sys_resource.
selinux-policy-3.14.2-53.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-bf377d92c7
selinux-policy-3.14.2-53.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.