(new Soapbox())->shout(array_map('strtoupper', $opinions)); //Shaun's blog


Me, elsewhere

GitHub
parseword
Miscellaneous public code

snuze
A PHP API client for Reddit

Twitter
@parseword
I don't tweet much

XMPP chat
xmpp@shaunc.com
(Pidgin, Miranda, Swift, etc.)


Perfect is the enemy of good enough.

Resolving SELinux audit failures with fail2ban on RHEL/CentOS 7

Posted April 21, 2021 by shaun

While configuring fail2ban (0.11.1-10.el7) on a CentOS 7 server (7.9.2009) with SELinux enforcing, I noticed that the audit log was being spammed with events like the following:

type=AVC msg=audit(1619021616.913:2703): avc:  denied  { read } for  pid=11335 comm="f2b/server" name="disable" dev="sysfs" ino=2153 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1619022022.035:2717): avc:  denied  { read } for  pid=11942 comm="f2b/server" name="disable" dev="sysfs" ino=2153 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
type=AVC msg=audit(1619022087.058:2748): avc:  denied  { read } for  pid=12260 comm="f2b/server" name="disable" dev="sysfs" ino=2153 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

The setroubleshoot utility didn't help much in this case:

Apr 21 12:09:33 srvname setroubleshoot: SELinux is preventing /usr/bin/python2.7 from read access on the file disable. For complete SELinux messages run: sealert -l 31d0751c-2007-4ef8-934d-9ae0126da543
Apr 21 12:09:33 srvname python: SELinux is preventing /usr/bin/python2.7 from read access on the file disable.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that python2.7 should be allowed read access on the disable file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'f2b/f.sshd' --raw | audit2allow -M my-f2bfsshd#012# semodule -i my-f2bfsshd.pp#012

These errors appear to arise when fail2ban tries to resolve the local system's hostname. There's a GitHub issue about one scenario occurring on a system with IPv6 disabled, and it looks like a future version of fail2ban will have a new option to ignore IPv6. Perhaps that'll make the log spam disappear on systems that aren't using IPv6. But I am using IPv6, and don't want to disable it, so more digging was necessary.

I managed to find RHEL bug 1777562 against fail2ban, which references RHEL bug 1444824 against getent, which in turn links to a Red Hat Knowledgebase article entitled Why 'getent' command is resolving ipv6 address only and not ipv4 in Red Hat Enterprise Linux 7?. This article contains an explanation of the underlying problem, and presents a workable solution, though it's a system-wide fix and not anything particular to fail2ban.

Since the KB article is only available to Red Hat subscribers, the gist of it is that RHEL7 introduced, via systemd, an NSS library called myhostname. The manual describes it thusly:

NSS-MYHOSTNAME(8)               nss-myhostname               NSS-MYHOSTNAME(8)

NAME
       nss-myhostname, libnss_myhostname.so.2 - Provide hostname resolution
       for the locally configured system hostname.

SYNOPSIS
       libnss_myhostname.so.2

DESCRIPTION
       nss-myhostname is a plugin for the GNU Name Service Switch (NSS)
       functionality of the GNU C Library (glibc) primarily providing hostname
       resolution for the locally configured system hostname as returned by
       gethostname(2). The precise hostnames resolved by this module are:

  [... snip ...]

       To activate the NSS modules, "myhostname" has to be added to the line
       starting with "hosts:" in /etc/nsswitch.conf.

And, sure enough, this library has been activated in the default RHEL7/CentOS 7 configuration:

[root@server ~]# grep ^hosts: /etc/nsswitch.conf
hosts:      files dns myhostname

Trouble is, the version of that library currently shipping with CentOS 7 (via systemd 219-78.el7_9.3) is a little buggy. When a machine is configured with both IPv4 and IPv6 addresses, and NSS is configured to use the myhostname library for host lookups, only the IPv6 entries will be returned.

Fixing the problem

The fix for the fail2ban SELinux errors is to remove the myhostname lookup mechanism from the hosts entry in /etc/nsswitch.conf. Just delete myhostname from the end of the line, so that the hosts entry looks like this:

[root@server ~]# grep ^hosts: /etc/nsswitch.conf
hosts:      files dns

The result of this change is that any system libraries relying on NSS to resolve the local hostname will check the hosts file and DNS only, never asking the buggy myhostname library. This is sufficient to get fail2ban working properly and stop the audit failures.



Recent articles

📰 Resolving SELinux audit failures with fail2ban on RHEL/CentOS 7

📰 curl 7.74.0 regression breaks Smokeping probes

📰 chrony improves client stats output for easier abuse detection

📰 Resolving PHP error "Fatal error: strict_types declaration must not use block mode"

📰 Resolving "Not using downloaded repomd.xml because it is older than what we have" yum error

📰 Resolving subversion error E125001: Couldn't determine absolute path of '.'

📰 Caveat with Vantec SATA/IDE to USB 2.0 Adapter and Macrium software

📰 Jay Niffley, Man of Mystery

📰 160.1.30.97: Multi-protocol scanning activity from Amazon GovCloud

📰 Compiling Doxygen on FreeBSD without LaTeX and Ghostscript

📰 Introducing Snuze, a PHP client for the Reddit API

📰 jisusaiche: Java's installer telemetry

📰 BIND client log error "query_find: query_getdb failed"

📰 Resolving "The lang/perl5.24 port has been deleted: Has expired" portmaster error

📰 Armagaddon2 interim fix for Firefox 56 and other old versions

▲ Back to top | Permalink to this page