Bug 1983564 - SELinux don't allow to read all log files
Summary: SELinux don't allow to read all log files
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel8
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard Shaw
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-19 06:27 UTC by Frank Büttner
Modified: 2021-11-02 13:02 UTC (History)
6 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2021-11-02 13:02:43 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Frank Büttner 2021-07-19 06:27:23 UTC 
Description of problem:
When I try to monitor my nextcloud instance, which use nfs for data storage, then 
fail2ban can't read the log file

Version-Release number of selected component (if applicable):
fail2ban-server-0.11.2-1.el8.noarch


How reproducible:
Every time

Steps to Reproduce:
1. start fail2ban

Actual results:
The start fails because the log file on the nfs share can't read


Expected results:
Working fail2ban


Additional info:
SELinux Log:
type=AVC msg=audit(1626675276.055:38476): avc:  denied  { read } for  pid=2143832 comm="fail2ban-server" name="nextcloud_data" dev="dm-4" ino=4199669 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1626675276.055:38476): arch=c000003e syscall=6 success=no exit=-13 a0=7f30781765a8 a1=7f30789bb8a0 a2=7f30789bb8a0 a3=0 items=0 ppid=1 pid=2143832 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:fail2ban_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1626675564.050:38499): avc:  denied  { read } for  pid=2149597 comm="fail2ban-server" name="nextcloud_data" dev="dm-4" ino=4199669 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1626675564.050:38499): arch=c000003e syscall=6 success=no exit=-13 a0=7f4027acd5f0 a1=7f40283138a0 a2=7f40283138a0 a3=0 items=0 ppid=1 pid=2149597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:fail2ban_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
ype=AVC msg=audit(1626675276.055:38476): avc:  denied  { read } for  pid=2143832 comm="fail2ban-server" name="nextcloud_data" dev="dm-4" ino=4199669 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1626675276.055:38476): arch=c000003e syscall=6 success=no exit=-13 a0=7f30781765a8 a1=7f30789bb8a0 a2=7f30789bb8a0 a3=0 items=0 ppid=1 pid=2143832 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:fail2ban_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1626675564.050:38499): avc:  denied  { read } for  pid=2149597 comm="fail2ban-server" name="nextcloud_data" dev="dm-4" ino=4199669 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=lnk_file permissive=0
type=SYSCALL msg=audit(1626675564.050:38499): arch=c000003e syscall=6 success=no exit=-13 a0=7f4027acd5f0 a1=7f40283138a0 a2=7f40283138a0 a3=0 items=0 ppid=1 pid=2149597 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:fail2ban_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=AVC msg=audit(1626676002.379:38542): avc:  denied  { search } for  pid=2150952 comm="fail2ban-server" name="mnt" dev="dm-0" ino=141 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:automount_tmp_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(1626676002.379:38542): arch=c000003e syscall=6 success=no exit=-13 a0=7f27f42fe610 a1=7f27f4b408a0 a2=7f27f4b408a0 a3=1 items=0 ppid=1 pid=2150952 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="fail2ban-server" exe="/usr/libexec/platform-python3.6" subj=system_u:system_r:fail2ban_t:s0 key=(null)ARCH=x86_64 SYSCALL=lstat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
Comment 1 customercare 2021-07-22 08:36:24 UTC 
Hi,

I'm not sure, if nfs transports selcontexts on files and directories by itself, but it does not look like it.

You can set a SELcontext while mounting your share to solve this:

https://www.thegeeksearch.com/how-to-configure-selinux-labeled-nfs-exports/

While you're on it.. use nfs version 4 and enable encryption for your share.
Comment 2 Frank Büttner 2021-07-22 14:52:17 UTC 
The storage system only support nfs 4.1 and as I understand, your link only works with nfs 4.2 and newer.
Comment 3 Richard Shaw 2021-11-02 12:33:48 UTC 
Has this been addressed or a workaround implemented? I'm not sure what I can do about this from on the packaging side.
Comment 4 customercare 2021-11-02 12:47:15 UTC 
@Richard:

That's for sure nothing you can fix in fail2ban, as no fedora package is responsible for external mounts. It's an impossibility on the logical side.
Comment 5 Richard Shaw 2021-11-02 13:02:43 UTC 
Thanks for the confirmation. I'm closing for now but if a solution presents itself, it can be reopened.
Note You need to log in before you can comment on or make changes to this bug.