SELinux prevents Fail2Ban from reading Gitea log

Running CentOS 7 with SELinux enabled (and necessarily in Enforce mode).
Fail2Ban is unable to monitor the /var/lib/gitea/log/gitea.log file. The error calls it a “dangling link”, which is quickly proven false, of course.

A peek at the Fail2Ban code shows a quick and dirty file existence check that’s resulting in this failure.

So I did a setenforce 0 and restarted Fail2Ban, and voila, it worked. But I am required to have SELinux in enforce mode unless the machine is unplugged and dismantled, so that is not a solution.

I know we have a lot of people here, and I’m sure some have probably found a solution through creative use of semanage fcontext -a -t {...} '/var/lib/gitea/log(/.*)?' or the like. A few pokes at ElGoog have resulted in nothing conclusive, so I come here to ask what suggestions you might have.

Thanks in advance,
Solo

Check /var/log/audit/audit.log, that’s going to give you some rather cryptic information about what the denial is.

From there you can use audit2allow to make the denial a little bit more readable, and optionally create an SELinux policy to allow Fail2Ban to access the log.

Anyway with RHEL and CentOS most user programs run unconfined by default, so unless you specifically use semanage fcontext or so and create labels for Gitea, and then an appropriate SELinux module the module generated automatically by audit2allow might be a bit more excessive than the minimum necessary.

In the future you may wish to use ausearch -m avc -ts recent instead of the brute force setenforce and try again method, as documented here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/sect-security-enhanced_linux-troubleshooting-fixing_problems#sect-Security-Enhanced_Linux-Fixing_Problems-Searching_For_and_Viewing_Denials

I hope this helps!