SELinux insanity

Lonni J Friedman netllama at gmail.com
Mon Dec 14 13:02:20 PST 2020 

Thanks Terence.

I'm doing ok, although I had a (very) mild case of COVID19 just a few
weeks ago.  I was fortunate, as it could have been far worse.

Hoping everyone has a far brighter 2021.

On Mon, Dec 14, 2020 at 12:56 PM Terence <terence.john at gmail.com> wrote:
>
> Sorry, Lonni, that's way beyond me, but it is good to see your name pop up.
>
> It's been a few years, but I hope you are keeping well, and avoiding much of the madness we're all going through.
>
> Happy Christmas!
>
> Terence
> (Saki)
>
> On Mon, 14 Dec 2020 at 20:16, Lonni J Friedman via Linux-users <linux-users at linux-sxs.org> wrote:
>>
>> Hi folks,
>> Hope you're staying safe during these crazy times.  Happy holidays too
>> (if possible)!
>>
>> Remember SELinux?  That thing that Redhat forced upon the (linux)
>> world so many years ago?  It was supposed to make things more secure.
>> Its been a thing for such a long time, surely all the rough edges have
>> been smoothed out by now, right?
>>
>> Wrong.  I'm in the process of building out a new production
>> environment, and I keep tripping over random stuff that doesn't work
>> because SELinux isn't configured correctly out of the box.  I've
>> managed to tweak most of the issues, but there's one remaining bit of
>> SELinux pain that I'm struggling to fix.
>>
>> I've got fail2ban configured to manage /etc/hosts.deny for the bots
>> trying to brute force their way in via ssh.  I don't even permit
>> password auth, so this is really just to reduce the noise of auth
>> failures in my logs.  The problem is that SELinux is preventing
>> fail2ban from calling sed to manage /etc/hosts.deny.  Every time it
>> tries, it fails with this fun mess:
>>
>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>> 7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed
>> 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny
>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>> 7fe1d018cc00 -- stderr: "sed: warning: failed to set default file
>> creation context to unconfined_u:object_r:net_conf_t:s0: Permission
>> deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission
>> denied"
>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>> 7fe1d018cc00 -- returned 4
>> 2020-12-13 03:20:32,938 fail2ban.actions        [2312]: ERROR   Failed
>> to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info
>> 'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':
>> <function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,
>> 'raw-ticket': <function Actions.ActionInfo.<lambda> at
>> 0x7fe1d06a7280>})': Error unbanning 45.238.121.134
>>
>> sed system_u:system_r:fail2ban_t:s0 0 dir write
>> system_u:object_r:etc_t:s0 denied
>>
>> Other than making all of /etc writable, anyone have any suggestions
>> how to fix this so that fail2ban & sed can do what they need to do?
>>
>>
>> thanks!
>> _______________________________________________
>> Linux-users mailing list
>> Linux-users at linux-sxs.org
>> http://mailman.celestial.com/mailman/listinfo/linux-users

More information about the Linux-users mailing list