In the fail2ban logs: Could not start server: Unable to bind socket /var/run/fail2ban/fail2ban.sock In the Selinux logs: type=AVC msg=audit(1711978962.290:2038): avc: denied { getattr } for pid=54304 comm="fail2ban-server" path="/run/fail2ban/fail2ban.sock" dev="tmpfs" ino=4540 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0
after https://bugzilla.redhat.com/show_bug.cgi?id=2258068 in https://src.fedoraproject.org/rpms/fail2ban/blob/rawhide/f/fail2ban.fc line 9 needs to be /run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0)
see more info here https://fedoraproject.org/wiki/Changes/Move_var_run_selinux_policy_entries_to_run
Assuming the builds complete, can you try the test packages here before I build official packages? There's also a patch for nftables included that needs testing. https://copr.fedorainfracloud.org/coprs/hobbes1069/testing/build/7331870/ @orion I'm assuming you've diverged from the Fedora repos in EPEL correct? I'm assuming the /var/run -> /run only applies to Fedora and not EPEL?
yes it now looks OK on my machine. ls -lZd /run/fail2ban drwxr-xr-x. 2 root root system_u:object_r:fail2ban_var_run_t:s0 80 Apr 21 10:42 /run/fail2ban and ls -lZd /run/fail2ban/* -rw-------. 1 root root system_u:object_r:fail2ban_var_run_t:s0 5 Apr 21 10:42 /run/fail2ban/fail2ban.pid srwx------. 1 root root system_u:object_r:fail2ban_var_run_t:s0 0 Apr 21 10:42 /run/fail2ban/fail2ban.sock previously the socket was var_run_t not fail2ban_var_run_t Thanks for the quick turnaround.
Can you also check that any jails you use are working? For instance, on my system I only run the ssh jail: # fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 4 |- Total banned: 4 `- Banned IP list: 179.43.180.108 183.81.169.238 8.218.230.152 94.156.8.149
~$ sudo fail2ban-client status Status |- Number of jail: 7 `- Jail list: dovecot, nginx, nginx-botsearch, pam-generic, postfix, recidive, sshd ~$ sudo fail2ban-client status sshd Status for the jail: sshd |- Filter | |- Currently failed: 0 | |- Total failed: 2 | `- Journal matches: _SYSTEMD_UNIT=sshd.service + _COMM=sshd `- Actions |- Currently banned: 0 |- Total banned: 1 `- Banned IP list: ~$ sudo fail2ban-client status nginx-botsearch Status for the jail: nginx-botsearch |- Filter | |- Currently failed: 0 | |- Total failed: 0 | `- File list: /var/log/nginx/access.log /var/log/nginx/error.log `- Actions |- Currently banned: 0 |- Total banned: 0 `- Banned IP list: ~$ sudo fail2ban-client status recidive Status for the jail: recidive |- Filter | |- Currently failed: 9 | |- Total failed: 17 | `- File list: /var/log/fail2ban.log `- Actions |- Currently banned: 12 |- Total banned: 13 `- Banned IP list: 104.152.52.76 109.206.237.199 179.43.190.218 179.43.191.18 80.75.212.75 80.94.92.60 87.120.84.171 87.121.105.251 94.156.10.67 193.222.96.5 91.92.240.17 146.19.215.138 ~$ sudo nft list table inet f2b-table table inet f2b-table { set f2b-postfix { type ipv4_addr elements = { 45.88.90.89, 87.121.105.251, 193.222.96.102, 193.222.96.110 } } set f2b-recidive { type ipv4_addr elements = { 80.75.212.75, 80.94.92.60, 87.120.84.171, 87.121.105.251, 91.92.240.17, 94.156.10.67, 104.152.52.76, 109.206.237.199, 146.19.215.138, 179.43.190.218, 179.43.191.18, 193.222.96.5 } } set f2b-nginx { type ipv4_addr elements = { 45.125.66.34, 78.153.140.177, 78.153.140.179, 87.121.69.52, 212.70.149.134 } } set f2b-sshd { type ipv4_addr } set f2b-dovecot { type ipv4_addr elements = { 152.89.198.241 } } chain f2b-chain { type filter hook input priority filter - 1; policy accept; tcp dport { 25, 587, 993, 4190 } ip saddr @f2b-postfix log prefix "f2b-postfix " level info counter packets 364 bytes 18833 drop meta l4proto { icmp, tcp, udp } ip saddr @f2b-recidive log prefix "f2b-recidive " level info counter packets 193 bytes 9680 drop tcp dport { 80, 443 } ip saddr @f2b-nginx log prefix "f2b-nginx " level info counter packets 12 bytes 640 drop tcp dport 22 ip saddr @f2b-sshd log prefix "f2b-sshd " level info counter packets 16 bytes 916 drop tcp dport { 25, 587, 993, 4190 } ip saddr @f2b-dovecot log prefix "f2b-dovecot " level info counter packets 0 bytes 0 drop } }
EPEL9 is the same as rawhide at this point. EL8 has diverged slightly in the SELinux policy and may be safer to leave as is. Looks like upstream really should replace a bunch of /var/run -> /run.
Thanks for this bug report and maintainer's support. I am facing the same issue in Fedora Silverblue 40. fail2ban.service is failing in it's default configuration. Got the same SELinux log type=AVC msg=audit(1713971704.013:624): avc: denied { create } for pid=16072 comm="fail2ban-server" name="fail2ban.sock" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 Would be happy to provide any additional input.
FEDORA-2024-43151e7f6f (fail2ban-1.0.2-13.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-43151e7f6f
FEDORA-2024-43151e7f6f (fail2ban-1.0.2-13.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
On f39 this did not work - sorry. I had to do: semanage fcontext -a -t fail2ban_var_run_t "/var/run/fail2ban(/.*)?" restorecon R -v /var/run/fail2ban/ To get it to work
Same here, on a machine I haven't updated yet on F38 this broke fail2ban. Could not start server: Unable to bind socket /run/fail2ban/fail2ban.sock It was previously still pointed at /var/run, I updated it to /run, did not seem to matter. Nothing in audit logs.
I wound up creating a temporary selinux rule... module fail2ban-extra 1.0; require { type fail2ban_t; type var_run_t; type fail2ban_client_t; class sock_file { create getattr unlink write }; } #============= fail2ban_client_t ============== allow fail2ban_client_t var_run_t:sock_file write; #============= fail2ban_t ============== allow fail2ban_t var_run_t:sock_file { create getattr unlink write };
FEDORA-EPEL-2024-74a2a4afa6 (fail2ban-1.1.0-1.el10_0) has been submitted as an update to Fedora EPEL 10.0. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-74a2a4afa6
FEDORA-EPEL-2024-74a2a4afa6 (fail2ban-1.1.0-1.el10_0) has been pushed to the Fedora EPEL 10.0 stable repository. If problem still persists, please make note of it in this bug report.