selinux module for fail2ban on Centos/RHEL 7

Update: This may not be necessary anymore with newer versions of fail2ban

The policy that is installed for fail2ban isn't working with journald (fail2ban-systemd package). Here is how to make a custom module that will allow it to function normally:

  • Create a new file (fail2ban-syslog.te):
    module fail2ban-syslog 1.0;

    require {
    type syslogd_var_run_t;
    type fail2ban_t;
    class dir read;
    class file read;
    class file open;
    class file getattr;
    }

    #============= fail2ban_t ==============
    allow fail2ban_t syslogd_var_run_t:dir read;
    allow fail2ban_t syslogd_var_run_t:file read;
    allow fail2ban_t syslogd_var_run_t:file open;
    allow fail2ban_t syslogd_var_run_t:file getattr;

  • Compile it:
    checkmodule -M -m -o fail2ban-syslog.mod fail2ban-syslog.te
    semodule_package -o fail2ban-syslog.pp -m fail2ban-syslog.mod
  • Import it:
    semodule -i fail2ban-syslog.pp
  • Restart fail2ban and monitor /var/log/audit/audit.log for avc denied messages:
    systemctl restart fail2ban
    tail -f /var/log/audit/audit.log
  • Update: To allow logrotate on the fail2ban log file:

    module logrotate-fail2ban 1.7;

    require {
    type fail2ban_client_exec_t;
    type logrotate_t;
    type init_var_lib_t;
    class file { open read execute getattr write create execute_no_trans setattr unlink ioctl rename};
    }

    #============= logrotate_t ==============
    allow logrotate_t fail2ban_client_exec_t:file execute_no_trans;
    allow logrotate_t fail2ban_client_exec_t:file { open read execute ioctl };
    allow logrotate_t init_var_lib_t:file { open read getattr write create unlink setattr rename };