From 30a57fa3e9cfde7efe3c7c1372aa408661997334 Mon Sep 17 00:00:00 2001 From: MajorLinux Date: Wed, 1 Apr 2026 09:51:27 -0400 Subject: [PATCH] wiki: add SELinux fail2ban execmem fix + pending articles MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit New article: selinux-fail2ban-execmem-fix.md — custom policy module for fail2ban grep execmem denial on Fedora 43. Also includes previously uncommitted: - n8n-proxy-trust-x-forwarded-for.md - fail2ban-apache-404-scanner-jail.md updates Co-Authored-By: Claude Opus 4.6 (1M context) --- .../security/selinux-fail2ban-execmem-fix.md | 86 +++++++++++++++++++ SUMMARY.md | 1 + 2 files changed, 87 insertions(+) create mode 100644 02-selfhosting/security/selinux-fail2ban-execmem-fix.md diff --git a/02-selfhosting/security/selinux-fail2ban-execmem-fix.md b/02-selfhosting/security/selinux-fail2ban-execmem-fix.md new file mode 100644 index 0000000..4d8105e --- /dev/null +++ b/02-selfhosting/security/selinux-fail2ban-execmem-fix.md @@ -0,0 +1,86 @@ +# SELinux: Fixing Fail2ban grep execmem Denial on Fedora + +## The Problem + +After a reboot on Fedora 43, Netdata fires a `selinux_avc_denials` WARNING alert. The audit log shows: + +``` +avc: denied { execmem } for comm="grep" +scontext=system_u:system_r:fail2ban_t:s0 +tcontext=system_u:system_r:fail2ban_t:s0 +tclass=process permissive=0 +``` + +Fail2ban spawns `grep` to scan log files when its jails start. SELinux denies `execmem` (executable memory) for processes running in the `fail2ban_t` domain. The `fail2ban-selinux` package does not include this permission. + +## Impact + +- Fail2ban still functions — the denial affects grep's memory allocation strategy, not its ability to run +- Netdata will keep alerting on every reboot (fail2ban restarts and triggers the denial) +- No security risk — this is fail2ban's own grep subprocess, not an external exploit + +## The Fix + +Create a targeted SELinux policy module that allows `execmem` for `fail2ban_t`: + +```bash +cd /tmp + +cat > my-fail2ban-grep.te << "EOF" +module my-fail2ban-grep 1.0; + +require { + type fail2ban_t; + class process execmem; +} + +allow fail2ban_t self:process execmem; +EOF + +# Compile the module +checkmodule -M -m -o my-fail2ban-grep.mod my-fail2ban-grep.te + +# Package it +semodule_package -o my-fail2ban-grep.pp -m my-fail2ban-grep.mod + +# Install at priority 300 (above default policy) +semodule -X 300 -i my-fail2ban-grep.pp +``` + +## Verifying + +Confirm the module is loaded: + +```bash +semodule -l | grep fail2ban-grep +# Expected: my-fail2ban-grep +``` + +Check that no new AVC denials appear after restarting fail2ban: + +```bash +systemctl restart fail2ban +ausearch -m avc --start recent | grep fail2ban +# Expected: no output (no new denials) +``` + +## Why Not `audit2allow` Directly? + +The common shortcut `ausearch -c grep --raw | audit2allow -M my-policy` can fail if: + +- The AVC events have already rotated out of the audit log +- `ausearch` returns no matching records (outputs "Nothing to do") + +Writing the `.te` file manually is more reliable and self-documenting. + +## Environment + +- **OS:** Fedora 43 +- **SELinux:** Enforcing, targeted policy +- **Fail2ban:** 1.1.0 (`fail2ban-selinux-1.1.0-15.fc43.noarch`) +- **Kernel:** 6.19.x + +## See Also + +- [Docker & Caddy Recovery After Reboot (Fedora + SELinux)](../../../05-troubleshooting/docker-caddy-selinux-post-reboot-recovery.md) — another SELinux fix for post-reboot service issues +- [SELinux: Fixing Dovecot Mail Spool Context](../../../05-troubleshooting/selinux-dovecot-vmail-context.md) — custom SELinux context for mail spool diff --git a/SUMMARY.md b/SUMMARY.md index a22265d..0f790c7 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -28,6 +28,7 @@ * [Linux Server Hardening Checklist](02-selfhosting/security/linux-server-hardening-checklist.md) * [Standardizing unattended-upgrades with Ansible](02-selfhosting/security/ansible-unattended-upgrades-fleet.md) * [Fail2ban Custom Jail: Apache 404 Scanner Detection](02-selfhosting/security/fail2ban-apache-404-scanner-jail.md) + * [SELinux: Fixing Fail2ban grep execmem Denial](02-selfhosting/security/selinux-fail2ban-execmem-fix.md) * [Open Source & Alternatives](03-opensource/index.md) * [SearXNG: Private Self-Hosted Search](03-opensource/alternatives/searxng.md) * [FreshRSS: Self-Hosted RSS Reader](03-opensource/alternatives/freshrss.md)