### file security contexts # reminder: # chcon: immediate specified change to file context, not registered # semanage fcontext: change register of files ('permanent') # restorecon: change to file context based on register of contexts for files ('permanent') # e.g.: chcon -v --type=httpd_log_t /xxx/yyy/srv/ restorecon -v /xxx/yyy/srv # or either of these can take a recursive switch (-R): restorecon -vR /xxx/yyy/srv # if setting (chcon) all directories on the path to the log file to be type "httpd_log_t", # then 'fail2ban' started ok even when told to enable the apache 'jails' # # it was also ok with one being home_root_t # but setting any to their user_home_dir_t or httpd_sys_content_t made the # attempted startup of fail2ban fail because of not being able to find the # specified log files # # we didn't want to give it access to user_home_dir_t # so we changed (permanently) the unreadable directories to public_content_t semanage fcontext -a -f a -t public_content_t -r 's0' '/xxx/yyy/srv' semanage fcontext -a -f a -t public_content_t -r 's0' '/xxx/yyy/srv/[^/]+' semanage fcontext -a -f a -t httpd_sys_content_t -r 's0' '/xxx/yyy/srv/[^/]+/webroot(/.*)*' semanage fcontext -a -f a -t httpd_log_t -r 's0' '/xxx/yyy/srv/[^/]*/logs(/.*)*' # this was also not traversable, but given the small number of things # (and their nature) with the public_content_t label we were happy to # allow access to this - see below for making a suitable module ### allowing the process (fail2ban) to do extra things # make a new module to allow all the things that the logs say have been denied audit2allow -a -M f2b_hp-srv # remove the resulting compiled module (it permits too much) rm f2b_hp-srv.pp # edit the text version to leave just the thing we want vi f2b_hp-srv.te ------------------------------- content of f2b_hp-srv.te after edit ------------------------------- module f2b_hp-srv 1.3; require { type public_content_t; type fail2ban_t; class dir { open read search getattr }; class dir open; } allow fail2ban_t public_content_t:dir { open read search getattr }; ------------------------------- ------------------------------- ------------------------------- # compile checkmodule -M -m -o f2b_hp-srv.mod f2b_hp-srv.te semodule_package -o f2b_hp-srv.pp -m f2b_hp-srv.mod # install the packaged module semodule -i f2b_hp-srv.pp # perhaps not needful to note, the above module content actually took several iterations, # as each new run gave a new error (first needing dir search, then when allowed that # getting stuck instead on read, then open, etc) ###