Description of problem: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal Version-Release number of selected component (if applicable): 0.11.2-12.el9 How reproducible: Always. Steps to Reproduce: 1. Install Fail2Ban from EPEL 9 on AlmaLinux 9. 2. Start fail2ban.service Actual results: Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal. For complete SELinux messages run: sealert -l 2324ca69-7e91-46d3-a93c-9802f48f9546 Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that python3.9 should be allowed watch access on the journal directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd#012# semodule -X 300 -i my-f2bfsshd.pp#012 Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /var/log/journal. For complete SELinux messages run: sealert -l f1ec1649-bde1-473d-b5b1-38b4a610c49c Jun 10 12:04:38 foo setroubleshoot[1365]: SELinux is preventing /usr/bin/python3.9 from watch access on the directory /var/log/journal.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that python3.9 should be allowed watch access on the journal directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd#012# semodule -X 300 -i my-f2bfsshd.pp#012 Jun 10 12:04:38 foo setroubleshoot[1365]: failed to retrieve rpm info for /var/log/journal/761d5ca528114c82a9dfcff15dc196dc [root@foo:production:~]$ sealert -l 2324ca69-7e91-46d3-a93c-9802f48f9546 SELinux is preventing /usr/bin/python3.9 from watch access on the directory /run/log/journal. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that python3.9 should be allowed watch access on the journal directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd # semodule -X 300 -i my-f2bfsshd.pp Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:syslogd_var_run_t:s0 Target Objects /run/log/journal [ dir ] Source f2b/f.sshd Source Path /usr/bin/python3.9 Port <Unknown> Host foo.lnx.warwick.ac.uk Source RPM Packages python3-3.9.10-2.el9.x86_64 Target RPM Packages SELinux Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.noarch Local Policy RPM selinux-policy-targeted-34.1.29-1.el9_0.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name foo.lnx.warwick.ac.uk Platform Linux foo.lnx.warwick.ac.uk 5.14.0-70.13.1.el9_0.x86_64 #1 SMP PREEMPT Tue May 17 15:53:11 EDT 2022 x86_64 x86_64 Alert Count 8 First Seen 2022-06-10 09:33:55 BST Last Seen 2022-06-10 12:04:36 BST Local ID 2324ca69-7e91-46d3-a93c-9802f48f9546 Raw Audit Messages type=AVC msg=audit(1654859076.808:110): avc: denied { watch } for pid=1359 comm="f2b/f.sshd" path="/run/log/journal" dev="tmpfs" ino=63 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:syslogd_var_run_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1654859076.808:110): arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES a0=8 a1=7fe3dbffd990 a2=1000386 a3=9 items=0 ppid=1 pid=1359 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=f2b/f.sshd exe=/usr/bin/python3.9 subj=system_u:system_r:fail2ban_t:s0 key=(null) Hash: f2b/f.sshd,fail2ban_t,syslogd_var_run_t,dir,watch [root@foo:production:~]$ Fail2ban *does* notice repeated failed SSH login attempts and ban the IP address. Expected results: Things Fail2ban wants to do aren't blocked by SELinux. Additional info: [root@foo:production:~]$ dnf info fail2ban Last metadata expiration check: 3:33:52 ago on Fri 10 Jun 2022 08:40:13 BST. Installed Packages Name : fail2ban Version : 0.11.2 Release : 12.el9 Architecture : noarch Size : 0.0 Source : fail2ban-0.11.2-12.el9.src.rpm Repository : @System From repo : epel9-everything Summary : Daemon to ban hosts that cause multiple authentication errors URL : http://fail2ban.sourceforge.net/ License : GPLv2+ Description : Fail2Ban scans log files and bans IP addresses that makes too : many password failures. It updates firewall rules to reject the : IP address. These rules can be defined by the user. Fail2Ban can : read multiple log files such as sshd or Apache web server ones. : : Fail2Ban is able to reduce the rate of incorrect authentications : attempts however it cannot eliminate the risk that weak : authentication presents. Configure services to use only two : factor or public/private authentication mechanisms if you really : want to protect services. : : This is a meta-package that will install the default : configuration. Other sub-packages are available to install : support for other actions and configurations. [root@foo:production:~]$ cat /etc/os-release NAME="AlmaLinux" VERSION="9.0 (Emerald Puma)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.0" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.0 (Emerald Puma)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.0" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.0" [root@foo:production:~]$ rpm -q --changelog fail2ban | head -3 * Wed May 18 2022 Orion Poplawski <orion> - 0.11.2-12 - Fix SELinux policy to allow watch on var_log_t (bz#2083923) [root@foo:production:~]$
There is a bug in the current fail2ban-server packaging where it doesn't bring in the fail2ban-selinux package. If you install that, things should be better. I'll try to get an update out soon.
*** This bug has been marked as a duplicate of bug 2100549 ***