1fail2ban_selinux(8) SELinux Policy fail2ban fail2ban_selinux(8)
2
3
4
6 fail2ban_selinux - Security Enhanced Linux Policy for the fail2ban pro‐
7 cesses
8
10 Security-Enhanced Linux secures the fail2ban processes via flexible
11 mandatory access control.
12
13 The fail2ban processes execute with the fail2ban_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep fail2ban_t
20
21
22
24 The fail2ban_t SELinux type can be entered via the fail2ban_exec_t file
25 type.
26
27 The default entrypoint paths for the fail2ban_t domain are the follow‐
28 ing:
29
30 /usr/bin/fail2ban, /usr/bin/fail2ban-server
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 fail2ban policy is very flexible allowing users to setup their fail2ban
40 processes in as secure a method as possible.
41
42 The following process types are defined for fail2ban:
43
44 fail2ban_t, fail2ban_client_t
45
46 Note: semanage permissive -a fail2ban_t can be used to make the process
47 type fail2ban_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required.
54 fail2ban policy is extremely flexible and has several booleans that
55 allow you to manipulate the policy and run fail2ban with the tightest
56 access possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
97 The SELinux process type fail2ban_t can manage files labeled with the
98 following file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 cluster_conf_t
102
103 /etc/cluster(/.*)?
104
105 cluster_var_lib_t
106
107 /var/lib/pcsd(/.*)?
108 /var/lib/cluster(/.*)?
109 /var/lib/openais(/.*)?
110 /var/lib/pengine(/.*)?
111 /var/lib/corosync(/.*)?
112 /usr/lib/heartbeat(/.*)?
113 /var/lib/heartbeat(/.*)?
114 /var/lib/pacemaker(/.*)?
115
116 cluster_var_run_t
117
118 /var/run/crm(/.*)?
119 /var/run/cman_.*
120 /var/run/rsctmp(/.*)?
121 /var/run/aisexec.*
122 /var/run/heartbeat(/.*)?
123 /var/run/corosync-qnetd(/.*)?
124 /var/run/corosync-qdevice(/.*)?
125 /var/run/corosync.pid
126 /var/run/cpglockd.pid
127 /var/run/rgmanager.pid
128 /var/run/cluster/rgmanager.sk
129
130 fail2ban_tmp_t
131
132
133 fail2ban_var_lib_t
134
135 /var/lib/fail2ban(/.*)?
136
137 fail2ban_var_run_t
138
139 /var/run/fail2ban.*
140
141 net_conf_t
142
143 /etc/hosts[^/]*
144 /etc/yp.conf.*
145 /etc/denyhosts.*
146 /etc/hosts.deny.*
147 /etc/resolv.conf.*
148 /etc/.resolv.conf.*
149 /etc/resolv-secure.conf.*
150 /var/run/cloud-init(/.*)?
151 /var/run/systemd/network(/.*)?
152 /etc/sysconfig/networking(/.*)?
153 /etc/sysconfig/network-scripts(/.*)?
154 /etc/sysconfig/network-scripts/.*resolv.conf
155 /var/run/NetworkManager/resolv.conf.*
156 /etc/ethers
157 /etc/ntp.conf
158 /var/run/systemd/resolve/resolv.conf
159 /var/run/systemd/resolve/stub-resolv.conf
160
161 root_t
162
163 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
164 /
165 /initrd
166
167
169 SELinux requires files to have an extended attribute to define the file
170 type.
171
172 You can see the context of a file using the -Z option to ls
173
174 Policy governs the access confined processes have to these files.
175 SELinux fail2ban policy is very flexible allowing users to setup their
176 fail2ban processes in as secure a method as possible.
177
178 STANDARD FILE CONTEXT
179
180 SELinux defines the file context types for the fail2ban, if you wanted
181 to store files with these types in a diffent paths, you need to execute
182 the semanage command to sepecify alternate labeling and then use
183 restorecon to put the labels on disk.
184
185 semanage fcontext -a -t fail2ban_tmp_t '/srv/myfail2ban_content(/.*)?'
186 restorecon -R -v /srv/myfail2ban_content
187
188 Note: SELinux often uses regular expressions to specify labels that
189 match multiple files.
190
191 The following file types are defined for fail2ban:
192
193
194
195 fail2ban_client_exec_t
196
197 - Set files with the fail2ban_client_exec_t type, if you want to tran‐
198 sition an executable to the fail2ban_client_t domain.
199
200
201
202 fail2ban_exec_t
203
204 - Set files with the fail2ban_exec_t type, if you want to transition an
205 executable to the fail2ban_t domain.
206
207
208 Paths:
209 /usr/bin/fail2ban, /usr/bin/fail2ban-server
210
211
212 fail2ban_initrc_exec_t
213
214 - Set files with the fail2ban_initrc_exec_t type, if you want to tran‐
215 sition an executable to the fail2ban_initrc_t domain.
216
217
218
219 fail2ban_log_t
220
221 - Set files with the fail2ban_log_t type, if you want to treat the data
222 as fail2ban log data, usually stored under the /var/log directory.
223
224
225
226 fail2ban_tmp_t
227
228 - Set files with the fail2ban_tmp_t type, if you want to store fail2ban
229 temporary files in the /tmp directories.
230
231
232
233 fail2ban_var_lib_t
234
235 - Set files with the fail2ban_var_lib_t type, if you want to store the
236 fail2ban files under the /var/lib directory.
237
238
239
240 fail2ban_var_run_t
241
242 - Set files with the fail2ban_var_run_t type, if you want to store the
243 fail2ban files under the /run or /var/run directory.
244
245
246
247 Note: File context can be temporarily modified with the chcon command.
248 If you want to permanently change the file context you need to use the
249 semanage fcontext command. This will modify the SELinux labeling data‐
250 base. You will need to use restorecon to apply the labels.
251
252
254 semanage fcontext can also be used to manipulate default file context
255 mappings.
256
257 semanage permissive can also be used to manipulate whether or not a
258 process type is permissive.
259
260 semanage module can also be used to enable/disable/install/remove pol‐
261 icy modules.
262
263 semanage boolean can also be used to manipulate the booleans
264
265
266 system-config-selinux is a GUI tool available to customize SELinux pol‐
267 icy settings.
268
269
271 This manual page was auto-generated using sepolicy manpage .
272
273
275 selinux(8), fail2ban(8), semanage(8), restorecon(8), chcon(1), sepol‐
276 icy(8), setsebool(8), fail2ban_client_selinux(8),
277 fail2ban_client_selinux(8)
278
279
280
281fail2ban 19-06-18 fail2ban_selinux(8)