2095722 – SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal

Bug 2095722 - SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal

Summary: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /...

Keywords:
Status:	CLOSED DUPLICATE of bug 2100549
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	fail2ban
Sub Component:
Version:	epel9
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Orion Poplawski
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-06-10 11:19 UTC by Mike Willis
Modified:	2023-03-30 00:06 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-30 00:06:49 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Mike Willis 2022-06-10 11:19:56 UTC

Description of problem:

SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal


Version-Release number of selected component (if applicable): 0.11.2-12.el9


How reproducible:

Always.

Steps to Reproduce:
1. Install Fail2Ban from EPEL 9 on AlmaLinux 9.
2. Start fail2ban.service


Actual results:

Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal. For complete SELinux messages run: sealert -l 2324ca69-7e91-46d3-a93c-9802f48f9546
Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python3.9 should be allowed watch access on the journal directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd#012# semodule -X 300 -i my-f2bfsshd.pp#012
Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /var/log/journal. For complete SELinux messages run: sealert -l f1ec1649-bde1-473d-b5b1-38b4a610c49c
Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /var/log/journal.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python3.9 should be allowed watch access on the journal directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd#012# semodule -X 300 -i my-f2bfsshd.pp#012
Jun 10 12:04:38 foo setroubleshoot[1365]: failed to retrieve rpm info for /var/log/journal/761d5ca528114c82a9dfcff15dc196dc

[root@foo:production:~]$ sealert -l 2324ca69-7e91-46d3-a93c-9802f48f9546

SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that python3.9 should be allowed watch access on the journal directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd
# semodule -X 300 -i my-f2bfsshd.pp


Additional Information:
Source Context                system_u:system_r:fail2ban_t:s0
Target Context                system_u:object_r:syslogd_var_run_t:s0
Target Objects                /run/log/journal [ dir ]
Source                        f2b/f.sshd
Source Path                   /usr/bin/python3.9
Port                          <Unknown>
Host                          foo.lnx.warwick.ac.uk
Source RPM Packages           python3-3.9.10-2.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-34.1.29-1.el9_0.noarch
Local Policy RPM              selinux-policy-targeted-34.1.29-1.el9_0.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     foo.lnx.warwick.ac.uk
Platform                      Linux foo.lnx.warwick.ac.uk
                              5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Tue May
                              17 15:53:11 EDT 2022 x86_64 x86_64
Alert Count                   8
First Seen                    2022-06-10 09:33:55 BST
Last Seen                     2022-06-10 12:04:36 BST
Local ID                      2324ca69-7e91-46d3-a93c-9802f48f9546

Raw Audit Messages
type=AVC msg=audit(1654859076.808:110): avc:  denied  { watch } for  pid=1359 comm="f2b/f.sshd" path="/run/log/journal" dev="tmpfs" ino=63 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0


type=SYSCALL msg=audit(1654859076.808:110): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7fe3dbffd990 a2=1000386 a3=9 items=0 ppid=1 pid=1359 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=f2b/f.sshd exe=/usr/bin/python3.9 subj=system_u:system_r:fail2ban_t:s0 key=(null)

Hash: f2b/f.sshd,fail2ban_t,syslogd_var_run_t,dir,watch

[root@foo:production:~]$ 


Fail2ban *does* notice repeated failed SSH login attempts and ban the IP address.


Expected results:

Things Fail2ban wants to do aren't blocked by SELinux.


Additional info:

[root@foo:production:~]$ dnf info fail2ban
Last metadata expiration check: 3:33:52 ago on Fri 10 Jun 2022 08:40:13 BST.
Installed Packages
Name         : fail2ban
Version      : 0.11.2
Release      : 12.el9
Architecture : noarch
Size         : 0.0  
Source       : fail2ban-0.11.2-12.el9.src.rpm
Repository   : @System
From repo    : epel9-everything
Summary      : Daemon to ban hosts that cause multiple authentication errors
URL          : http://fail2ban.sourceforge.net/
License      : GPLv2+
Description  : Fail2Ban scans log files and bans IP addresses that makes too
             : many password failures. It updates firewall rules to reject the
             : IP address. These rules can be defined by the user. Fail2Ban can
             : read multiple log files such as sshd or Apache web server ones.
             : 
             : Fail2Ban is able to reduce the rate of incorrect authentications
             : attempts however it cannot eliminate the risk that weak
             : authentication presents. Configure services to use only two
             : factor or public/private authentication mechanisms if you really
             : want to protect services.
             : 
             : This is a meta-package that will install the default
             : configuration.  Other sub-packages are available to install
             : support for other actions and configurations.

[root@foo:production:~]$ cat /etc/os-release 
NAME="AlmaLinux"
VERSION="9.0 (Emerald Puma)"
ID="almalinux"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.0"
PLATFORM_ID="platform:el9"
PRETTY_NAME="AlmaLinux 9.0 (Emerald Puma)"
ANSI_COLOR="0;34"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos"
HOME_URL="https://almalinux.org/"
DOCUMENTATION_URL="https://wiki.almalinux.org/"
BUG_REPORT_URL="https://bugs.almalinux.org/"

ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9"
ALMALINUX_MANTISBT_PROJECT_VERSION="9.0"
REDHAT_SUPPORT_PRODUCT="AlmaLinux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.0"
[root@foo:production:~]$ rpm -q --changelog fail2ban | head -3
* Wed May 18 2022 Orion Poplawski <orion> - 0.11.2-12
- Fix SELinux policy to allow watch on var_log_t (bz#2083923)

[root@foo:production:~]$

Comment 1 Orion Poplawski 2023-03-29 23:57:36 UTC

There is a bug in the current fail2ban-server packaging where it doesn't bring in the fail2ban-selinux package.  If you install that, things should be better.  I'll try to get an update out soon.

Comment 2 Orion Poplawski 2023-03-30 00:06:49 UTC


*** This bug has been marked as a duplicate of bug 2100549 ***

Note You need to log in before you can comment on or make changes to this bug.