SELinux insanity

Lonni J Friedman netllama at gmail.com
Mon Dec 14 12:16:16 PST 2020 

Hi folks,
Hope you're staying safe during these crazy times.  Happy holidays too
(if possible)!

Remember SELinux?  That thing that Redhat forced upon the (linux)
world so many years ago?  It was supposed to make things more secure.
Its been a thing for such a long time, surely all the rough edges have
been smoothed out by now, right?

Wrong.  I'm in the process of building out a new production
environment, and I keep tripping over random stuff that doesn't work
because SELinux isn't configured correctly out of the box.  I've
managed to tweak most of the issues, but there's one remaining bit of
SELinux pain that I'm struggling to fix.

I've got fail2ban configured to manage /etc/hosts.deny for the bots
trying to brute force their way in via ssh.  I don't even permit
password auth, so this is really just to reduce the noise of auth
failures in my logs.  The problem is that SELinux is preventing
fail2ban from calling sed to manage /etc/hosts.deny.  Every time it
tries, it fails with this fun mess:

2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed
's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny
2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
7fe1d018cc00 -- stderr: "sed: warning: failed to set default file
creation context to unconfined_u:object_r:net_conf_t:s0: Permission
deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission
denied"
2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
7fe1d018cc00 -- returned 4
2020-12-13 03:20:32,938 fail2ban.actions        [2312]: ERROR   Failed
to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info
'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':
<function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,
'raw-ticket': <function Actions.ActionInfo.<lambda> at
0x7fe1d06a7280>})': Error unbanning 45.238.121.134

sed system_u:system_r:fail2ban_t:s0 0 dir write
system_u:object_r:etc_t:s0 denied

Other than making all of /etc writable, anyone have any suggestions
how to fix this so that fail2ban & sed can do what they need to do?


thanks!

More information about the Linux-users mailing list