SELinux insanity

Terence terence.john at gmail.com
Mon Dec 14 12:56:39 PST 2020 

Sorry, Lonni, that's way beyond me, but it is good to see your name pop up.

It's been a few years, but I hope you are keeping well, and avoiding much
of the madness we're all going through.

Happy Christmas!

Terence
(Saki)

On Mon, 14 Dec 2020 at 20:16, Lonni J Friedman via Linux-users <
linux-users at linux-sxs.org> wrote:

> Hi folks,
> Hope you're staying safe during these crazy times.  Happy holidays too
> (if possible)!
>
> Remember SELinux?  That thing that Redhat forced upon the (linux)
> world so many years ago?  It was supposed to make things more secure.
> Its been a thing for such a long time, surely all the rough edges have
> been smoothed out by now, right?
>
> Wrong.  I'm in the process of building out a new production
> environment, and I keep tripping over random stuff that doesn't work
> because SELinux isn't configured correctly out of the box.  I've
> managed to tweak most of the issues, but there's one remaining bit of
> SELinux pain that I'm struggling to fix.
>
> I've got fail2ban configured to manage /etc/hosts.deny for the bots
> trying to brute force their way in via ssh.  I don't even permit
> password auth, so this is really just to reduce the noise of auth
> failures in my logs.  The problem is that SELinux is preventing
> fail2ban from calling sed to manage /etc/hosts.deny.  Every time it
> tries, it fails with this fun mess:
>
> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
> 7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed
> 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny
> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
> 7fe1d018cc00 -- stderr: "sed: warning: failed to set default file
> creation context to unconfined_u:object_r:net_conf_t:s0: Permission
> deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission
> denied"
> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
> 7fe1d018cc00 -- returned 4
> 2020-12-13 03:20:32,938 fail2ban.actions        [2312]: ERROR   Failed
> to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info
> 'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':
> <function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,
> 'raw-ticket': <function Actions.ActionInfo.<lambda> at
> 0x7fe1d06a7280>})': Error unbanning 45.238.121.134
>
> sed system_u:system_r:fail2ban_t:s0 0 dir write
> system_u:object_r:etc_t:s0 denied
>
> Other than making all of /etc writable, anyone have any suggestions
> how to fix this so that fail2ban & sed can do what they need to do?
>
>
> thanks!
> _______________________________________________
> Linux-users mailing list
> Linux-users at linux-sxs.org
> http://mailman.celestial.com/mailman/listinfo/linux-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/linux-users/attachments/20201214/5db97a77/attachment-0001.html>

More information about the Linux-users mailing list