Description of problem: SELinux is preventing f2b/f.sshd from watch access on the directory /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_log_t:s0 Target Objects /var/log/journal/e1b76908437a478ca7e08da051a8d3b3 [ dir ] Source f2b/f.sshd Source Path f2b/f.sshd Port <Unknown> Host gtw Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-36.8-1.fc36.noarch Local Policy RPM fail2ban-selinux-0.11.2-11.fc36.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name gtw Platform Linux gtw 5.17.5-300.fc36.x86_64 #1 SMP PREEMPT Thu Apr 28 15:51:30 UTC 2022 x86_64 x86_64 Alert Count 2 First Seen 2022-05-10 16:01:42 EDT Last Seen 2022-05-10 16:01:42 EDT Local ID 8030e5bb-553d-408f-b834-1f1ac7d1a905 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. Reboot after upgrade to f36 2. 3. Actual results: Expected results: Additional info: I did this: If you believe that f.sshd should be allowed watch access on the e1b76908437a478ca7e08da051a8d3b3 directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd # semodule -X 300 -i my-f2bfsshd.pp
It looks like this change was made in commit 3f49a1709f7b21b5361a191533a2307e2a1b21d2: Author: Richard Shaw <hobbes1069> Date: Sat Dec 25 10:35:01 2021 -0600 Add patches / updates for various fixes: * Add patch for Python 3.11 compatibilitys, fixes RHBZ#2034205. * Comment out a few lines in the selinux files that broke building on EPEL and don't seem to be needed. Fixes RHBZ#2029193. * Work around 2to3 being removed from Python setuptools. diff --git a/fail2ban.te b/fail2ban.te index 92615ca..8cbf7b3 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -45,7 +45,7 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) -allow fail2ban_t fail2ban_log_t:file watch; +#allow fail2ban_t fail2ban_log_t:file watch; append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) @@ -100,10 +100,10 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) -logging_watch_audit_log_files(fail2ban_t) -logging_watch_audit_log_dirs(fail2ban_t) -logging_watch_generic_log_dirs(fail2ban_t) -logging_watch_journal_dir(fail2ban_t) +#logging_watch_audit_log_files(fail2ban_t) +#logging_watch_audit_log_dirs(fail2ban_t) +#logging_watch_generic_log_dirs(fail2ban_t) +#logging_watch_journal_dir(fail2ban_t) mta_send_mail(fail2ban_t) logging_watch_generic_log_dirs would have given fail2ban_t watch permissions to var_log_t: ####################################### ## <summary> ## Watch the generic log directory (/var/log). ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`logging_watch_generic_log_dirs',` gen_require(` type var_log_t; ') files_search_var($1) allow $1 var_log_t:dir watch_dir_perms; ')
FEDORA-2022-33c51827f4 has been submitted as an update to Fedora 36. https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4
That fixed the bug here. I did: $ sudo semodule -X 300 -r my-f2bfsshd ... $ for p in fail2ban-0.11.2-12.fc36.noarch.rpm \ fail2ban-selinux-0.11.2-12.fc36.noarch.rpm \ fail2ban-server-0.11.2-12.fc36.noarch.rpm \ fail2ban-sendmail-0.11.2-12.fc36.noarch.rpm \ fail2ban-firewalld-0.11.2-12.fc36.noarch.rpm ; \ do wget \ https://kojipkgs.fedoraproject.org//packages/fail2ban/0.11.2/12.fc36/noarch/$p;done ... $ sudo dnf upgrade ./fail2ban-\* ... $
FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-33c51827f4` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-33c51827f4 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-33c51827f4 has been pushed to the Fedora 36 stable repository. If problem still persists, please make note of it in this bug report.