Mercurial > repos > other > Puppet

view modules/fail2ban/files/apache-ip-banlist.log @ 337:a79ad974a548

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Implement fail2ban for Apache as mod_rewrite We can't use pure iptables because IPv4 requests come through our proxy. BUT we're using PROXY, so Apache sees the true IP.
author IBBoard <dev@ibboard.co.uk>
date Sat, 16 May 2020 14:05:09 +0100
parents
children
line wrap: on
line source

# Use `sudo audit2allow -i modules/fail2ban/files/apache-ip-banlist.log -o modules/fail2ban/files/apache-ip-banlist.pp` to update the .pp file
# And run `sudo semodule -i /path/to/apache-ip-banlist.pp` to install (or `puppet-apply`)
type=AVC msg=audit(1588787042.424:80973): avc:  denied  { read } for  pid=1394 comm="httxt2dbm" name="apache_banlist.txt" dev="vda2" ino=4933 scontext=system_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
type=AVC msg=audit(1588945227.337:95373): avc:  denied  { open } for  pid=23216 comm="httxt2dbm" path="/tmp/apache_banlist.txt" dev="vda2" ino=4933 scontext=system_u:system_r:fail2ban_t:s0 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
type=AVC msg=audit(1589226761.304:117046): avc:  denied  { dac_override } for  pid=17887 comm="apache-ip-ban" capability=1  scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1589226761.308:117047): avc:  denied  { search } for  pid=17888 comm="httxt2dbm" name="httpd" dev="vda2" ino=132312 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1589312768.808:123914): avc:  denied  { getattr } for  pid=6749 comm="httxt2dbm" path="/etc/httpd/conf.custom/apache_banlist.db" dev="vda2" ino=267967 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=1      
type=AVC msg=audit(1589569550.692:144422): avc:  denied  { dac_override } for  pid=2777 comm="apache-ip-ban" capability=1  scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:system_r:fail2ban_t:s0 tclass=capability permissive=0
type=AVC msg=audit(1589569550.696:144423): avc:  denied  { search } for  pid=2778 comm="httxt2dbm" name="httpd" dev="vda2" ino=132312 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_config_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1589572088.142:144762): avc:  denied  { entrypoint } for  pid=4354 comm="runcon" path="/usr/local/bin/apache-ip-ban" dev="vda2" ino=138961 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:bin_t:s0 tclass=file permissive=0
type=AVC msg=audit(1589572296.815:144814): avc:  denied  { write } for  pid=4496 comm="apache-ip-ban" name="apache_banlist.txt" dev="vda2" ino=4933 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_config_t:s0 tclass=file permissive=0
type=AVC msg=audit(1589572296.844:144815): avc:  denied  { write } for  pid=4497 comm="httxt2dbm" name="apache_banlist.db" dev="vda2" ino=267967 scontext=unconfined_u:system_r:fail2ban_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_config_t:s0 tclass=file permissive=0