Bug 2083923 - SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3
Summary: SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: fail2ban
Version: 36
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Richard Shaw
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-11 03:28 UTC by Garry T. Williams
Modified: 2022-05-27 01:09 UTC (History)
5 users (show)

Fixed In Version: fail2ban-0.11.2-12.fc36
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-05-27 01:09:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Garry T. Williams 2022-05-11 03:28:27 UTC
Description of problem:
SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3

Additional Information:
Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:var_log_t:s0
Target Objects                /var/log/journal/e1b76908437a478ca7e08da051a8d3b3
                              [ dir ]
Source                        f2b/f.sshd
Source Path                   f2b/f.sshd
Port                          <Unknown>
Host                          gtw
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-36.8-1.fc36.noarch
Local Policy RPM              fail2ban-selinux-0.11.2-11.fc36.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     gtw
Platform                      Linux gtw 5.17.5-300.fc36.x86_64 #1 SMP PREEMPT
                              Thu Apr 28 15:51:30 UTC 2022 x86_64 x86_64
Alert Count                   2
First Seen                    2022-05-10 16:01:42 EDT
Last Seen                     2022-05-10 16:01:42 EDT
Local ID                      8030e5bb-553d-408f-b834-1f1ac7d1a905

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Reboot after upgrade to f36
2.
3.

Actual results:


Expected results:


Additional info:
I did this:

If you believe that f.sshd should be allowed watch access on the e1b76908437a478ca7e08da051a8d3b3 directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
# semodule -X 300 -i my-f2bfsshd.pp

Comment 1 Orion Poplawski 2022-05-18 02:06:08 UTC
It looks like this change was made in commit 3f49a1709f7b21b5361a191533a2307e2a1b21d2:

Author: Richard Shaw <hobbes1069>
Date:   Sat Dec 25 10:35:01 2021 -0600

    Add patches / updates for various fixes:
    
    * Add patch for Python 3.11 compatibilitys, fixes RHBZ#2034205.
    * Comment out a few lines in the selinux files that broke building on
      EPEL and don't seem to be needed. Fixes RHBZ#2029193.
    * Work around 2to3 being removed from Python setuptools.

diff --git a/fail2ban.te b/fail2ban.te
index 92615ca..8cbf7b3 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -45,7 +45,7 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
 
 read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
 
-allow fail2ban_t fail2ban_log_t:file watch;
+#allow fail2ban_t fail2ban_log_t:file watch;
 append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
@@ -100,10 +100,10 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
-logging_watch_audit_log_files(fail2ban_t)
-logging_watch_audit_log_dirs(fail2ban_t)
-logging_watch_generic_log_dirs(fail2ban_t)
-logging_watch_journal_dir(fail2ban_t)
+#logging_watch_audit_log_files(fail2ban_t)
+#logging_watch_audit_log_dirs(fail2ban_t)
+#logging_watch_generic_log_dirs(fail2ban_t)
+#logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)
 


logging_watch_generic_log_dirs would have given fail2ban_t watch permissions to var_log_t:

#######################################
## <summary>
##      Watch the generic log directory (/var/log).
## </summary>
## <param name="domain">
##      <summary>
##      Domain allowed access.
##      </summary>
## </param>
#
interface(`logging_watch_generic_log_dirs',`
        gen_require(`
                type var_log_t;
        ')

        files_search_var($1)
        allow $1 var_log_t:dir watch_dir_perms;
')

Comment 2 Fedora Update System 2022-05-18 03:56:49 UTC
FEDORA-2022-33c51827f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4

Comment 3 Garry T. Williams 2022-05-19 00:38:24 UTC
That fixed the bug here.

I did:

$ sudo semodule -X 300 -r my-f2bfsshd
...
$ for p in fail2ban-0.11.2-12.fc36.noarch.rpm \
           fail2ban-selinux-0.11.2-12.fc36.noarch.rpm \
           fail2ban-server-0.11.2-12.fc36.noarch.rpm \
           fail2ban-sendmail-0.11.2-12.fc36.noarch.rpm \
           fail2ban-firewalld-0.11.2-12.fc36.noarch.rpm ; \
   do wget \
      https://kojipkgs.fedoraproject.org//packages/fail2ban/0.11.2/12.fc36/noarch/$p;done
...
$ sudo dnf upgrade ./fail2ban-\*
...
$

Comment 4 Fedora Update System 2022-05-19 15:37:03 UTC
FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-33c51827f4`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 5 Fedora Update System 2022-05-27 01:09:00 UTC
FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.