Selunux+Fail2ban on Centos 7

General support questions
Post Reply
SergeyD
Posts: 2
Joined: 2024/04/15 11:13:28

Selunux+Fail2ban on Centos 7

Post by SergeyD » 2024/04/17 14:32:17

Hi.
I have an issue with my Centos 7 server with Zimbra 8.8.15 and Fail2ban installed.
The problem is that blackhole route for Fail2Ban doesn't work in Selinux Enforced mode.
My fail2ban jail.d files are simple and just the same as in this Zimbra article https://blog.zimbra.com/2022/08/configu ... on-zimbra/
I already described the problem in detail on Zimbra forum - https://forums.zimbra.org/viewtopic.php?t=72817, but still no replies for 5 days, besides, it seems that it's actually not a Zimbra problem.
In brief:
1. I start fail2ban with Zimbra log files specified in config and check fail2ban log file - First_error_log.txt attached.
2. I create Selinux policy based on audit.log with semodule -i fail2ban_rt.pp command.
3. I start fail2ban again, there are no any errors refered to fail2ban in audit.log file anymore, but the blackhole route still can't be added and now I have another error "Cannot talk to rtnetlink: Permission denied" in fail2ban log file - Second_error_log.txt attached.

Thank you for your interest.
Attachments
First_error_log.txt
(1.15 KiB) Downloaded 31 times
fail2ban_rt.te.txt
(267 Bytes) Downloaded 23 times
Current_versions.txt
(208 Bytes) Downloaded 23 times

User avatar
TrevorH
Site Admin
Posts: 33272
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selunux+Fail2ban on Centos 7

Post by TrevorH » 2024/04/17 17:05:20

I haven't looked at your files but in situations like this it is possible you're hitting denials that are also 'dontaudit' rules. So what I think you should do is

uninstall your existing selinux policy
run `service auditd rotate` to rotate your audit log files, maybe delete or move the /var/log/audit/audit.log.* files elsewhere
run `setenforce 0` to go into permissive mode
run `semodule -DB` to disable the dontaudit rules
recreate the problem
grep -i avc /var/log/audit/audit.log | audit2allow -M myzimbra
Review myzimbra.te to see what horrible things it's aiming to do!
semodule -i myzimbra.pp
setenforce 1
recreate the problem and now hopefully it works

Oh, and run `semodule -B` to re-enable the dontaudit rules or your logs will be flooded.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

SergeyD
Posts: 2
Joined: 2024/04/15 11:13:28

Re: Selunux+Fail2ban on Centos 7

Post by SergeyD » 2024/04/18 14:08:15

Dear TrevorH.

I tried the solution you adviced and - Yes, it works.
I didn't test long and in detail, but first results are definitely positive. I'll go on the topic if anything goes wrong.
Thank you for your help!

Post Reply