SELinux insanity

Leon Goldstein metapsych at earthlink.net
Mon Dec 14 14:43:46 PST 2020 

> I wish it hadn't been so politicized, so we could enact real risk-management
> approaches, instead of having to deal with so many opposing forms of crazy,
> most of which tend to be "I hate these other people" sorts of crazy, which
> I've seen on both sides.
This is the only sane comment on Wuhan/Covid 19 I've heard since this 
crap hit the fan in March.

On 12/14/20 5:36 PM, Matthew Carpenter wrote:
> On Monday, December 14, 2020 5:20:32 PM EST Leon Goldstein via Linux-users
> wrote:
>> I don't know if any of you guys run SuSE these days, but it too has its
>> very annoying quirks.  I just run Mint Mate and am very satisfied with it.
> I actually traded in SuSE for Ubuntu in 2006.  Quirks?  a few, mostly Linuxy
> things.  But for a guy who needs to get work done outside the Linux realm, I'm
> pretty satisfied.
>
>> Re Wuhan virus aka Covid 19:  make sure you are getting the full daily
>> recommended dose of vitamin D.  That is science.  Face masks, "social
>> distancng," lock downs etc. are political science. The Danes already
>> demonstrated that face masks are of very doubtful value.
> Yep.  Vit D, Zinc, and Vit C are the ones I've seen.
> Masks do "something."
> Social Distancing does as well.
>
> I wish it hadn't been so politicized, so we could enact real risk-management
> approaches, instead of having to deal with so many opposing forms of crazy,
> most of which tend to be "I hate these other people" sorts of crazy, which
> I've seen on both sides.
>
>> On 12/14/20 5:11 PM, Matthew Carpenter via Linux-users wrote:
>>> Hey Lonnie, I hope you'll let this one pass, it's been a while since I've
>>> flung a distro-war comment:  Perhaps you need to get off RH stuff ;)
>>>
>>> jk!  I know that to each their own.  I get enough flack from running
>>> Ubuntu. RH is a solid choice as well.  Each distros come with their own
>>> pain points.
>>>
>>>
>>>
>>> Anyway, more seriously...
>>>
>>> 1) Why do you have *anything* writing random temp files to /etc?
>>>
>>> 2) You can enable permissions by command.  So if you *want* sed to have
>>> write access to /etc, I guess...
>>>
>>> 3) I'm guessing you may want to rewrite whatever tool/script you're using
>>> to use a real temporary file.
>>>
>>> 4) I might consider trying /etc/hosts.deny as a symlink to a different
>>> location (eg. /var/tmp/shitcan/hosts.deny), where you can give complete
>>> access to sed without any real concerns.
>>>
>>> SELinux and AppArmor do serve a good purpose.  They *do* stop a lot of
>>> exploits... and when they don't, they've pushed the attacker to be
>>> creative
>>> and do a lot more work writing their exploit.  Believe me.
>>>
>>> I hope you are well, Lonnie.  I miss "hanging out" with you and the rest
>>> of
>>> the gang.  It seems we've all grown up, as has Linux.  Still great to know
>>> you are still here.
>>>
>>> Matt
>>>
>>>
>>> On Monday, December 14, 2020 3:58:29 PM EST Lonni J Friedman via
>>> Linux-users>
>>> wrote:
>>>> The problem is that the file is a sed generated temp file when its
>>>> editing (note the randomly generated /etc/sedIYn1RO in the error msg),
>>>> so I have no way of knowing the file name in advance.
>>>>
>>>> Thanks for the tip regarding audit2allow.  Unfortunately, its
>>>> recommending making all of /etc/ writable with:
>>>>
>>>> allow fail2ban_t etc_t:dir write;
>>>>
>>>> I guess that's better than disabling SELinux altogether, but still kinda
>>>> crappy.
>>>>
>>>> On Mon, Dec 14, 2020 at 12:54 PM James McDonald <james at toggen.com.au>
> wrote:
>>>>> I'm reticent to make dumb suggestions as I know you are way more
>>>>> experienced with this stuff then me but....
>>>>>
>>>>> Sounds like you need to change the policy or context of the file you are
>>>>> doing the in place edit to to allow fail2ban to do it's thing.
>>>>>
>>>>> Have you tried audit2allow?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 15 Dec. 2020 7:16 am, Lonni J Friedman via Linux-users
>>>>> <linux-users at linux-sxs.org> wrote:
>>>>>
>>>>> Hi folks,
>>>>> Hope you're staying safe during these crazy times.  Happy holidays too
>>>>> (if possible)!
>>>>>
>>>>> Remember SELinux?  That thing that Redhat forced upon the (linux)
>>>>> world so many years ago?  It was supposed to make things more secure.
>>>>> Its been a thing for such a long time, surely all the rough edges have
>>>>> been smoothed out by now, right?
>>>>>
>>>>> Wrong.  I'm in the process of building out a new production
>>>>> environment, and I keep tripping over random stuff that doesn't work
>>>>> because SELinux isn't configured correctly out of the box.  I've
>>>>> managed to tweak most of the issues, but there's one remaining bit of
>>>>> SELinux pain that I'm struggling to fix.
>>>>>
>>>>> I've got fail2ban configured to manage /etc/hosts.deny for the bots
>>>>> trying to brute force their way in via ssh.  I don't even permit
>>>>> password auth, so this is really just to reduce the noise of auth
>>>>> failures in my logs.  The problem is that SELinux is preventing
>>>>> fail2ban from calling sed to manage /etc/hosts.deny.  Every time it
>>>>> tries, it fails with this fun mess:
>>>>>
>>>>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>>>>> 7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed
>>>>> 's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny
>>>>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>>>>> 7fe1d018cc00 -- stderr: "sed: warning: failed to set default file
>>>>> creation context to unconfined_u:object_r:net_conf_t:s0: Permission
>>>>> deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission
>>>>> denied"
>>>>> 2020-12-13 03:20:32,938 fail2ban.utils          [2312]: ERROR
>>>>> 7fe1d018cc00 -- returned 4
>>>>> 2020-12-13 03:20:32,938 fail2ban.actions        [2312]: ERROR   Failed
>>>>> to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info
>>>>> 'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':
>>>>> <function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,
>>>>> 'raw-ticket': <function Actions.ActionInfo.<lambda> at
>>>>> 0x7fe1d06a7280>})': Error unbanning 45.238.121.134
>>>>>
>>>>> sed system_u:system_r:fail2ban_t:s0 0 dir write
>>>>> system_u:object_r:etc_t:s0 denied
>>>>>
>>>>> Other than making all of /etc writable, anyone have any suggestions
>>>>> how to fix this so that fail2ban & sed can do what they need to do?
>>>>>
>>>>>
>>>>> thanks!
>>>>> _______________________________________________
>>>>> Linux-users mailing list
>>>>> Linux-users at linux-sxs.org
>>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>>> _______________________________________________
>>>> Linux-users mailing list
>>>> Linux-users at linux-sxs.org
>>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>>> _______________________________________________
>>> Linux-users mailing list
>>> Linux-users at linux-sxs.org
>>> http://mailman.celestial.com/mailman/listinfo/linux-users
>
>
>
-- 
Leon A. Goldstein

HP G7
Linux Mint 18.3

More information about the Linux-users mailing list