2024-05-04 12:41:47,231 fail2ban.server [979]: INFO Starting Fail2ban v1.0.2 2024-05-04 12:41:47,232 fail2ban.observer [979]: INFO Observer start... 2024-05-04 12:41:47,232 fail2ban.server [979]: ERROR Could not start server: Unable to bind socket /var/run/fail2ban/fail2ban.sock 2024-05-04 12:41:47,232 fail2ban.server [979]: INFO Shutdown in progress... 2024-05-04 12:41:47,233 fail2ban.observer [979]: INFO Observer stop ... try to end queue 5 seconds 2024-05-04 12:41:47,253 fail2ban.observer [979]: INFO Observer stopped, 0 events remaining. 2024-05-04 12:41:47,293 fail2ban.server [979]: INFO Stopping all jails 2024-05-04 12:41:47,293 fail2ban.server [979]: INFO Exiting Fail2ban Downgrading to 1.2.0-12 allows it to start. Reproducible: Always Steps to Reproduce: 1. dnf upgrade 2. systemctl restart fail2ban.service 3. hAfter some time systemctl status fail2ban.service shows the service failed and the above log message appears Actual Results: Fail2ban.service fails Expected Results: Fail2ban.service starts normally
Same here. I found 2 SELinux AVC ``` SELinux is preventing fail2ban-server from create access on the sock_file fail2ban.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that fail2ban-server should be allowed create access on the fail2ban.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver # semodule -X 300 -i my-fail2banserver.pp Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects fail2ban.sock [ sock_file ] Source fail2ban-server Source Path fail2ban-server Port <Unknown> Host REMOVED Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-39.5-1.fc39.noarch Local Policy RPM fail2ban-selinux-1.0.2-13.fc39.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name REMOVED Platform Linux REMOVED 6.8.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Apr 27 17:42:13 UTC 2024 x86_64 Alert Count 4 First Seen 2024-05-04 09:39:06 CEST Last Seen 2024-05-04 10:52:24 CEST Local ID 0c7f23e4-65d2-4676-b799-54e2e5617f3d Raw Audit Messages type=AVC msg=audit(1714812744.341:233): avc: denied { create } for pid=3899 comm="fail2ban-server" name="fail2ban.sock" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 Hash: fail2ban-server,fail2ban_t,var_run_t,sock_file,create ``` And ``` SELinux is preventing fail2ban-server from create access on the sock_file fail2ban.sock. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that fail2ban-server should be allowed create access on the fail2ban.sock sock_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'fail2ban-server' --raw | audit2allow -M my-fail2banserver # semodule -X 300 -i my-fail2banserver.pp Additional Information: Source Context system_u:system_r:fail2ban_t:s0 Target Context system_u:object_r:var_run_t:s0 Target Objects fail2ban.sock [ sock_file ] Source fail2ban-server Source Path fail2ban-server Port <Unknown> Host REMOVED Source RPM Packages Target RPM Packages SELinux Policy RPM selinux-policy-targeted-39.5-1.fc39.noarch Local Policy RPM fail2ban-selinux-1.0.2-13.fc39.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name REMOVED Platform Linux REMOVED 6.8.8-200.fc39.x86_64 #1 SMP PREEMPT_DYNAMIC Sat Apr 27 17:42:13 UTC 2024 x86_64 Alert Count 4 First Seen 2024-05-04 09:39:06 CEST Last Seen 2024-05-04 10:52:24 CEST Local ID 0c7f23e4-65d2-4676-b799-54e2e5617f3d Raw Audit Messages type=AVC msg=audit(1714812744.341:233): avc: denied { create } for pid=3899 comm="fail2ban-server" name="fail2ban.sock" scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 Hash: fail2ban-server,fail2ban_t,var_run_t,sock_file,create ```
If you want an example of how to get it right take a look here: https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/contrib/abrt.fc#L33 /run/abrt\.pid -- gen_context(system_u:object_r:abrt_var_run_t,s0) /run/abrtd?\.lock -- gen_context(system_u:object_r:abrt_var_run_t,s0) /run/abrtd?\.socket -- gen_context(system_u:object_r:abrt_var_run_t,s0) /run/abrt(/.*)? gen_context(system_u:object_r:abrt_var_run_t,s0)
It seems to be related to bug 2272476 but not working. Workaround proposed in comment https://bugzilla.redhat.com/show_bug.cgi?id=2272476#c11 .
*** Bug 2279136 has been marked as a duplicate of this bug. ***
So something like this should work: /run/fail2ban/fail2ban.sock -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) /run/fail2ban/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0) /run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0)
Actually that all pretty much does the same thing, the top to match the exact file while the bottom one matches anything in /run/fail2ban and below (including itself). Another thought is maybe I just messed up when I changed /var/run -> /run because I didn't think to increment the selinux module version.
If someone wants to try this test package that would be great assuming you can roll back any manual selinux changes: https://copr.fedorainfracloud.org/coprs/hobbes1069/testing/build/7419810/
Hello I confirm that it works for me Laurent
FEDORA-2024-500986c2de (fail2ban-1.0.2-14.fc39) has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-500986c2de
FEDORA-2024-839e2f0af8 (fail2ban-1.0.2-14.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2024-839e2f0af8
FEDORA-2024-11e538db5a (fail2ban-1.0.2-14.fc38) has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2024-11e538db5a
(In reply to Fedora Update System from comment #9) > FEDORA-2024-500986c2de (fail2ban-1.0.2-14.fc39) has been submitted as an > update to Fedora 39. > https://bodhi.fedoraproject.org/updates/FEDORA-2024-500986c2de Sorry, doesn't work. Still same error. Actually, only fail2ban-1.0.2-12.fc39 works fine.
Is it possible that selinux-policy equivalents for /run are getting in the way here? $ sudo semanage fcontext -l | grep -E '^/run =' /run = /var/run Perhaps one of the selinux-policy maintainers could explain why this isn't working as expected -- it certainly looks like it should work. I know you posted on fedora-devel and didn't get any replies from the selinux-policy folks, maybe they'd see it on fedora-selinux? Or maybe switch this ticket to the selinux-policy component to pull them in for their expertise? Thanks for all the effort on this Richard! (As an aside, it's a real shame and annoyance that Fedora doesn't even keep the previous package in the repo, leaving no ability to just `dnf downgrade` to the previous fail2ban package for the moment. I've just been running `chcon -Rv -t fail2ban_var_run_t {,/var}/run/fail2ban` whenever I reboot or need to restart fail2ban since pulling in the -13 package. I know there's some way to download signed packages from koji, but I can never find that when I need it.)
The previous version can be downloaded from here: https://kojipkgs.fedoraproject.org//packages/fail2ban/1.0.2/12.fc39/noarch/fail2ban-selinux-1.0.2-12.fc39.noarch.rpm with obvious adjustments for distribution version & arch.
Just tried 1.0.2-14 and it still fails. The first deny is slightly different to all the following ones: May 7 20:24:19 bastion audit[125771]: AVC avc: denied { write } for pid=125771 comm="fail2ban-server" name="fail2ban.sock" dev="tmpfs" ino=78372 sco ntext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 May 7 20:24:19 bastion audit[125771]: AVC avc: denied { getattr } for pid=125771 comm="fail2ban-server" path="/run/fail2ban/fail2ban.sock" dev="tmpf s" ino=78372 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 May 7 20:24:19 bastion audit[125771]: AVC avc: denied { getattr } for pid=125771 comm="fail2ban-server" path="/run/fail2ban/fail2ban.sock" dev="tmpf s" ino=78372 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=0 Have downgraded just the fail2ban-selinux package to 1.0.2-12 and working again.
(In reply to Chris Palmer from comment #14) > The previous version can be downloaded from here: > https://kojipkgs.fedoraproject.org//packages/fail2ban/1.0.2/12.fc39/noarch/ > fail2ban-selinux-1.0.2-12.fc39.noarch.rpm > with obvious adjustments for distribution version & arch. The downside to pulling from koji (in addition to requiring more manual effort) is that those are unsigned packages. There is some way to find the signed packages in koji, but I can never locate it when I need it. :)
(In reply to Todd Zullinger from comment #16) > > The downside to pulling from koji (in addition to requiring more manual > effort) is that those are unsigned packages. There is some way to find the > signed packages in koji, but I can never locate it when I need it. :) The downloads should be via https. So, technically, they're signed by the SSL cert.
FEDORA-2024-839e2f0af8 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-839e2f0af8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-839e2f0af8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-11e538db5a has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-11e538db5a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-11e538db5a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-500986c2de has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-500986c2de` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-500986c2de See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
fail2ban-1.0.2-14.fc39 still fails to start. The difference between Fedora 39 and 40 is that /run/fail2ban/ has fcontext var_run_t on Fedora 39 and fail2ban_var_run_t on Fedora 40. Fedora 39: # ll -Za /run/fail2ban/ insgesamt 0 drwxr-xr-x. 2 root root system_u:object_r:var_run_t:s0 40 9. Mai 13:46 . drwxr-xr-x. 51 root root system_u:object_r:var_run_t:s0 1600 9. Mai 13:48 .. Fedora 40: # ll -Za /run/fail2ban/ insgesamt 4 drwxr-xr-x. 2 root root system_u:object_r:fail2ban_var_run_t:s0 80 9. Mai 13:41 . drwxr-xr-x. 89 root root system_u:object_r:var_run_t:s0 2400 9. Mai 13:43 .. -rw-------. 1 root root system_u:object_r:fail2ban_var_run_t:s0 5 9. Mai 13:41 fail2ban.pid srwx------. 1 root root system_u:object_r:fail2ban_var_run_t:s0 0 9. Mai 13:41 fail2ban.sock
There is a difference on selinux fcontext equalence for /run and /var/run on Fedora 39 and 40. Running "semanage fcontext -l |grep /run | grep = | grep /var/run", you get on Fedora 39 /run = /var/run and on Fedora 40: /var/run = /run So, you need different fcontext rules for Fedora 39 and 40 for files in /run and /var/run. Package fail2ban has changed file fail2ban.fc in package source as follows: $ diff fail2ban-1.0.2-12.fc39.src/fail2ban.fc fail2ban-1.0.2-13.fc39.src/fail2ban.fc 9c9 < /var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) --- > /run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) This change works fine for Fedora 40, but not for Fedora 39. The next change is ok, it also works for Fedora 40, but not for Fedora 39: $ diff fail2ban-1.0.2-13.fc39.src/fail2ban.fc fail2ban-1.0.2-14.fc39.src/fail2ban.fc 1c1 < /etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) --- > #/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) 9c9,10 < /run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) --- > > /run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) Please, can you build a package for Fedora 39 (and 38?, but not 40 and later) that contains the line /var/run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) instead of /run/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_run_t,s0) in file fail2ban.fc ?
Temporary solution for Fedora 39 until a fixed version is available: Run as root or using sudo: semanage fcontext -a -t fail2ban_var_run_t '/var/run/fail2ban(/.*)?' restorecon -rv /run/fail2ban systemctl restart fail2ban.service systemctl status fail2ban.service
Note: Add a "sleep 5" before asking for the status because it needs time to start...
Thanks for confirming my suspicion from #c13 Edgar. It made me poke a little more and I see that some other packages which ship an selinux module have had to deal with this transition as well. I borrowed some code from container-selinux which I think fixes this for both F39 and F40+ (as well as EPEL < 10 and EPEL >= 10). I submitted this as https://src.fedoraproject.org/rpms/fail2ban/pull-request/11 for review, in the hope it will help the fail2ban maintainers save a little time and effort. I tested this on F40 and F39: # Fedora 40 $ sudo semanage fcontext -l | grep '/run/fail2ban' /run/fail2ban(/.*)? all files system_u:object_r:fail2ban_var_run_t:s0 # Fedora 39 $ sudo semanage fcontext -l | grep '/run/fail2ban' /var/run/fail2ban(/.*)? all files system_u:object_r:fail2ban_var_run_t:s0 # Both show the same resulting context for the /run files $ ls -1dZ /run/fail2ban{,/*} system_u:object_r:fail2ban_var_run_t:s0 /run/fail2ban system_u:object_r:fail2ban_var_run_t:s0 /run/fail2ban/fail2ban.pid system_u:object_r:fail2ban_var_run_t:s0 /run/fail2ban/fail2ban.sock I created some scratch builds in Koji, in case anyone wants to test this but doesn't want to build it from git (and yet is trusting of my koji builds): Rawhide https://koji.fedoraproject.org/koji/taskinfo?taskID=117585547 Fedora 40 https://koji.fedoraproject.org/koji/taskinfo?taskID=117585556 Fedora 39 https://koji.fedoraproject.org/koji/taskinfo?taskID=117585575
FEDORA-2024-42fbd56ae0 (fail2ban-1.0.2-15.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2024-42fbd56ae0
FEDORA-2024-42fbd56ae0 (fail2ban-1.0.2-15.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-535faedab0 has been pushed to the Fedora 38 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-535faedab0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-535faedab0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-a886a54c8d has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-a886a54c8d` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-a886a54c8d See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I've just installed fail2ban-1.0.2-15.fc39 from updates-testing and it is now working (on FC39). Thanks for everyone's efforts on this.
Agreed, many thanks to Richard for persevering with what was surely a tedious process. If anyone notices the error from the %post scriptlets in F40, this is due to a recently added bug in the selinux-policy package. I filed https://src.fedoraproject.org/rpms/selinux-policy/pull-request/417 to address that. I don't know if it will have any effect on this update. I think it will be okay because F40 isn't really changed, so even if the fail2ban selinux module isn't updated correctly it should still work in most cases. But it's not something I have time to test thoroughly.
fail2ban-1.0.2-15.fc39 works fine -> https://bodhi.fedoraproject.org/updates/FEDORA-2024-17ee298647 . Many thanks for your work.
Why does fail2ban-1.0.2-15.fc39 not require fail2ban-selinux-1.0.2-15.fc39? Without the updated selinux package, fail2ban fails to start at boot.
It has a requirement (in case anyone else wondered whether it was missing the dependency entirely), just not tied to the specific version/release: $ rpm -q fail2ban-server fail2ban-server-1.0.2-15.fc39.noarch $ rpm -q --requires fail2ban-server | grep selinux (fail2ban-selinux if selinux-policy-targeted) In general, it's not supported to pick and choose your updates that way, AFAIK. The other packages I have handy which include and selinux subpackage all seem to do the same: Requires: (%{name}-selinux if selinux-policy-targeted) I don't know if there's any issues which might crop up with having a tighter dependency, e.g.: diff --git i/fail2ban.spec w/fail2ban.spec index 5754b2c..8b184f1 100644 --- i/fail2ban.spec +++ w/fail2ban.spec @@ -129,9 +129,9 @@ Requires(post): systemd Requires(preun): systemd Requires(postun): systemd %if 0%{?fedora} || 0%{?rhel} >= 8 -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype}) %else -Requires: %{name}-selinux +Requires: %{name}-selinux = %{version}-%{release} %endif # see note above in BuildRequires section %if 0%{?fedora} > 38 To be safe, that could be %{?epoch:%{epoch}:}%{version}-%{release} -- though it could be left alone unless fail2ban ever gains an Epoch tag.
FEDORA-2024-a886a54c8d (fail2ban-1.0.2-15.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2024-535faedab0 (fail2ban-1.0.2-15.fc38) has been pushed to the Fedora 38 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-EPEL-2024-74a2a4afa6 (fail2ban-1.1.0-1.el10_0) has been submitted as an update to Fedora EPEL 10.0. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2024-74a2a4afa6
FEDORA-EPEL-2024-74a2a4afa6 (fail2ban-1.1.0-1.el10_0) has been pushed to the Fedora EPEL 10.0 stable repository. If problem still persists, please make note of it in this bug report.