Description of problem: fail2ban cannot write to its PID or log file on CentOS 8 Stream. It seems SELinux policy is blocking fail2ban. Version-Release number of selected component (if applicable): # rpm -qa fail2ban fail2ban-selinux fail2ban-selinux-0.11.2-1.el8.noarch fail2ban-0.11.2-1.el8.noarch Steps to Reproduce: 1. Enable EPEL 2. Install fail2ban and fail2ban-selinux 3. Start fail2ban.service Actual results: I get these errors in the system journal when starting the fail2ban service: Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,535 fail2ban.server [1674]: INFO Starting Fail2ban v0.11.2 Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,536 fail2ban.server [1674]: ERROR Unable to create PID file: [Errno 13] Permission denied: '/var/run/fail2ban/fail2ban.pid' Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,536 fail2ban.observer [1674]: INFO Observer start... Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban.server [1674]: ERROR Unable to log to '/var/log/fail2ban.log' Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban.server [1674]: INFO Logging to previous target None Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban [1674]: ERROR NOK: ('Failed to change log target',) Additional info: setroubleshoot logs the following: Apr 09 00:37:52 centos8 setroubleshoot[1737]: SELinux is preventing /usr/libexec/platform-python3.6 from append access on the file fail2ban.pid. Apr 09 00:37:52 centos8 setroubleshoot[1737]: SELinux is preventing /usr/libexec/platform-python3.6 from append access on the file fail2ban.log. It suggests creating a policy: ***** Plugin catchall (100. confidence) suggests ************************** If you believe that platform-python3.6 should be allowed create access on the fail2ban.pid file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver # semodule -X 300 -i my-fail2banserver.pp If I do that then fail2ban works properly after restarting the service.
What are the contexts of the pid and log files? What are the full AVCs? What is the contents of my-fail2banserver.te?
FEDORA-EPEL-2023-1453d3ee4f has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1453d3ee4f
FEDORA-EPEL-2023-1453d3ee4f has been pushed to the Fedora EPEL 8 testing repository. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1453d3ee4f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-EPEL-2023-1453d3ee4f has been pushed to the Fedora EPEL 8 stable repository. If problem still persists, please make note of it in this bug report.