Description of problem: upgraded from f33 to f34 SELinux is preventing fail2ban-server from 'watch' accesses on the dossier /var/log/journal. ***** Plugin catchall (100. confidence) suggests ************************** Si vous pensez que fail2ban-server devrait être autorisé à accéder watch sur journal directory par défaut. Then vous devriez rapporter ceci en tant qu'anomalie. Vous pouvez générer un module de stratégie local pour autoriser cet accès. Do autoriser cet accès pour le moment en exécutant : # ausearch -c "fail2ban-server" --raw | audit2allow -M my-fail2banserver # semodule -X 300 -i my-fail2banserver.pp Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/journal [ dir ] Source fail2ban-server Source Path fail2ban-server Port <Inconnu> Host (removed) Source RPM Packages Target RPM Packages systemd-248-2.fc34.x86_64 SELinux Policy RPM selinux-policy-targeted-34.3-1.fc34.noarch Local Policy RPM fail2ban-selinux-0.11.2-3.fc34.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 5.11.16-300.fc34.x86_64 #1 SMP Wed Apr 21 13:18:33 UTC 2021 x86_64 x86_64 Alert Count 8 First Seen 2021-04-25 13:36:19 CEST Last Seen 2021-04-25 13:50:25 CEST Local ID 819fb113-1a6e-46ac-9a35-ae5ca6bd5ccb Raw Audit Messages type=AVC msg=audit(1619351425.392:241): avc: denied { watch } for pid=1621 comm="f2b/f.dropbear" path="/var/log/journal" dev="dm-3" ino=100669503 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=0 Hash: fail2ban-server,fail2ban_t,var_log_t,dir,watch Version-Release number of selected component: selinux-policy-targeted-34.3-1.fc34.noarch Additional info: component: fail2ban reporter: libreport-2.14.0 hashmarkername: setroubleshoot kernel: 5.11.16-300.fc34.x86_64 type: libreport
*** This bug has been marked as a duplicate of bug 1943696 ***