Hi.
I have an issue with my Centos 7 server with Zimbra 8.8.15 and Fail2ban installed.
The problem is that blackhole route for Fail2Ban doesn't work in Selinux Enforced mode.
My fail2ban jail.d files are simple and just the same as in this Zimbra article https://blog.zimbra.com/2022/08/configu ... on-zimbra/
I already described the problem in detail on Zimbra forum - https://forums.zimbra.org/viewtopic.php?t=72817, but still no replies for 5 days, besides, it seems that it's actually not a Zimbra problem.
In brief:
1. I start fail2ban with Zimbra log files specified in config and check fail2ban log file - First_error_log.txt attached.
2. I create Selinux policy based on audit.log with semodule -i fail2ban_rt.pp command.
3. I start fail2ban again, there are no any errors refered to fail2ban in audit.log file anymore, but the blackhole route still can't be added and now I have another error "Cannot talk to rtnetlink: Permission denied" in fail2ban log file - Second_error_log.txt attached.
Thank you for your interest.
Selunux+Fail2ban on Centos 7
Selunux+Fail2ban on Centos 7
- Attachments
-
- First_error_log.txt
- (1.15 KiB) Downloaded 13 times
-
- fail2ban_rt.te.txt
- (267 Bytes) Downloaded 13 times
-
- Current_versions.txt
- (208 Bytes) Downloaded 11 times
Re: Selunux+Fail2ban on Centos 7
I haven't looked at your files but in situations like this it is possible you're hitting denials that are also 'dontaudit' rules. So what I think you should do is
uninstall your existing selinux policy
run `service auditd rotate` to rotate your audit log files, maybe delete or move the /var/log/audit/audit.log.* files elsewhere
run `setenforce 0` to go into permissive mode
run `semodule -DB` to disable the dontaudit rules
recreate the problem
grep -i avc /var/log/audit/audit.log | audit2allow -M myzimbra
Review myzimbra.te to see what horrible things it's aiming to do!
semodule -i myzimbra.pp
setenforce 1
recreate the problem and now hopefully it works
Oh, and run `semodule -B` to re-enable the dontaudit rules or your logs will be flooded.
uninstall your existing selinux policy
run `service auditd rotate` to rotate your audit log files, maybe delete or move the /var/log/audit/audit.log.* files elsewhere
run `setenforce 0` to go into permissive mode
run `semodule -DB` to disable the dontaudit rules
recreate the problem
grep -i avc /var/log/audit/audit.log | audit2allow -M myzimbra
Review myzimbra.te to see what horrible things it's aiming to do!
semodule -i myzimbra.pp
setenforce 1
recreate the problem and now hopefully it works
Oh, and run `semodule -B` to re-enable the dontaudit rules or your logs will be flooded.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke
Re: Selunux+Fail2ban on Centos 7
Dear TrevorH.
I tried the solution you adviced and - Yes, it works.
I didn't test long and in detail, but first results are definitely positive. I'll go on the topic if anything goes wrong.
Thank you for your help!
I tried the solution you adviced and - Yes, it works.
I didn't test long and in detail, but first results are definitely positive. I'll go on the topic if anything goes wrong.
Thank you for your help!