Bug 2073606 - fail2ban cannot create PID or log file in CentOS 8 Stream
Summary: fail2ban cannot create PID or log file in CentOS 8 Stream
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: fail2ban
Version: epel8
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Orion Poplawski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-04-08 22:06 UTC by Alan Orth
Modified: 2023-04-10 01:06 UTC (History)
5 users (show)

Fixed In Version: fail2ban-1.0.2-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-04-10 01:06:28 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Alan Orth 2022-04-08 22:06:30 UTC 
Description of problem:

fail2ban cannot write to its PID or log file on CentOS 8 Stream. It seems SELinux policy is blocking fail2ban.

Version-Release number of selected component (if applicable):

# rpm -qa fail2ban fail2ban-selinux 
fail2ban-selinux-0.11.2-1.el8.noarch
fail2ban-0.11.2-1.el8.noarch

Steps to Reproduce:
1. Enable EPEL
2. Install fail2ban and fail2ban-selinux
3. Start fail2ban.service

Actual results:

I get these errors in the system journal when starting the fail2ban service:

  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,535 fail2ban.server         [1674]: INFO    Starting Fail2ban v0.11.2
  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,536 fail2ban.server         [1674]: ERROR   Unable to create PID file: [Errno 13] Permission denied: '/var/run/fail2ban/fail2ban.pid'
  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,536 fail2ban.observer       [1674]: INFO    Observer start...
  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban.server         [1674]: ERROR   Unable to log to '/var/log/fail2ban.log'
  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban.server         [1674]: INFO    Logging to previous target None
  Apr 09 00:37:12 centos8 fail2ban-server[1674]: 2022-04-09 00:37:12,537 fail2ban                [1674]: ERROR   NOK: ('Failed to change log target',)

Additional info:

setroubleshoot logs the following:

  Apr 09 00:37:52 centos8 setroubleshoot[1737]: SELinux is preventing /usr/libexec/platform-python3.6 from append access on the file fail2ban.pid.
  Apr 09 00:37:52 centos8 setroubleshoot[1737]: SELinux is preventing /usr/libexec/platform-python3.6 from append access on the file fail2ban.log.

It suggests creating a policy:

  *****  Plugin catchall (100. confidence) suggests   **************************

  If you believe that platform-python3.6 should be allowed create access on the fail2ban.pid file by default.
  Then you should report this as a bug.
  You can generate a local policy module to allow this access.
  Do
  allow this access for now by executing:
  # ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver
  # semodule -X 300 -i my-fail2banserver.pp

If I do that then fail2ban works properly after restarting the service.
Comment 1 Orion Poplawski 2023-03-29 22:53:14 UTC 
What are the contexts of the pid and log files?  What are the full AVCs?  What is the contents of my-fail2banserver.te?
Comment 2 Fedora Update System 2023-04-01 14:46:28 UTC 
FEDORA-EPEL-2023-1453d3ee4f has been submitted as an update to Fedora EPEL 8. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1453d3ee4f
Comment 3 Fedora Update System 2023-04-02 02:50:20 UTC 
FEDORA-EPEL-2023-1453d3ee4f has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-1453d3ee4f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 4 Fedora Update System 2023-04-10 01:06:28 UTC 
FEDORA-EPEL-2023-1453d3ee4f has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.