<div dir="ltr"><div>Sorry, Lonni, that's way beyond me, but it is good to see your name pop up.</div><div><br></div><div>It's been a few years, but I hope you are keeping well, and avoiding much of the madness we're all going through.</div><div><br></div><div>Happy Christmas!</div><div><br></div><div>Terence <br></div><div>(Saki)<br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, 14 Dec 2020 at 20:16, Lonni J Friedman via Linux-users <<a href="mailto:linux-users@linux-sxs.org">linux-users@linux-sxs.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi folks,<br>
Hope you're staying safe during these crazy times. Happy holidays too<br>
(if possible)!<br>
<br>
Remember SELinux? That thing that Redhat forced upon the (linux)<br>
world so many years ago? It was supposed to make things more secure.<br>
Its been a thing for such a long time, surely all the rough edges have<br>
been smoothed out by now, right?<br>
<br>
Wrong. I'm in the process of building out a new production<br>
environment, and I keep tripping over random stuff that doesn't work<br>
because SELinux isn't configured correctly out of the box. I've<br>
managed to tweak most of the issues, but there's one remaining bit of<br>
SELinux pain that I'm struggling to fix.<br>
<br>
I've got fail2ban configured to manage /etc/hosts.deny for the bots<br>
trying to brute force their way in via ssh. I don't even permit<br>
password auth, so this is really just to reduce the noise of auth<br>
failures in my logs. The problem is that SELinux is preventing<br>
fail2ban from calling sed to manage /etc/hosts.deny. Every time it<br>
tries, it fails with this fun mess:<br>
<br>
2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR<br>
7fe1d018cc00 -- exec: IP=$(echo "45.238.121.134" | sed<br>
's/[][\.]/\\\0/g') && sed -i "/^ALL: $IP$/d" /etc/hosts.deny<br>
2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR<br>
7fe1d018cc00 -- stderr: "sed: warning: failed to set default file<br>
creation context to unconfined_u:object_r:net_conf_t:s0: Permission<br>
deniedsed: couldn't open temporary file /etc/sedIYn1RO: Permission<br>
denied"<br>
2020-12-13 03:20:32,938 fail2ban.utils [2312]: ERROR<br>
7fe1d018cc00 -- returned 4<br>
2020-12-13 03:20:32,938 fail2ban.actions [2312]: ERROR Failed<br>
to execute unban jail 'ssh-tcpwrapper' action 'hostsdeny' info<br>
'ActionInfo({'ip': '45.238.121.134', 'family': 'inet4', 'fid':<br>
<function Actions.ActionInfo.<lambda> at 0x7fe1d06a2b80>,<br>
'raw-ticket': <function Actions.ActionInfo.<lambda> at<br>
0x7fe1d06a7280>})': Error unbanning 45.238.121.134<br>
<br>
sed system_u:system_r:fail2ban_t:s0 0 dir write<br>
system_u:object_r:etc_t:s0 denied<br>
<br>
Other than making all of /etc writable, anyone have any suggestions<br>
how to fix this so that fail2ban & sed can do what they need to do?<br>
<br>
<br>
thanks!<br>
_______________________________________________<br>
Linux-users mailing list<br>
<a href="mailto:Linux-users@linux-sxs.org" target="_blank">Linux-users@linux-sxs.org</a><br>
<a href="http://mailman.celestial.com/mailman/listinfo/linux-users" rel="noreferrer" target="_blank">http://mailman.celestial.com/mailman/listinfo/linux-users</a><br>
</blockquote></div>