I have a bunch of sites hosted on heavily locked-down Fedora 39 server. I have just upgraded them all from long-time use of WPf2b v4.x to latest v5.2.2.1 (including the filters).
Almost everything works and I can watch live WPf2b detection & subsequent fail2ban banning via sudo journalctl -f
.
However WP Site Health is showing 1 critical issue: [WP fail2ban] fail2ban is not running. I have tracked this down to SELinux (or somesuch) preventing the use of systemctl via web-based PHP.
So I can successfully run /usr/bin/systemctl status --quiet fail2ban
from the bash prompt while logged in as the user under which web PHP scripts execute, but running shell_exec('/usr/bin/systemctl status --quiet fail2ban 2>&1; echo "RV: $?"');
from a test PHP file give this output: Failed to get properties: Access denied RV: 1
. And I get a corresponding ‘avc: denied’ message the audit journal.
Note that shell_exec('/usr/bin/systemctl --help 2>&1; echo "RV: $?"');
works as expected.
A simple fix would be to add an extra check in WPf2b’s lib/site-health.php to ensure that the script can actually execute usr/bin/systemctl (in addition to currently checking that the file exist), as in:
if (file_exists('/usr/bin/systemctl')) {
$output = [];
// list units as a permission test; there is no output
if (false === exec('/usr/bin/systemctl list-units', $output, $rv)) {
return false;
}
if ($rv) { // 0 is success
return false;
}
$output = [];
// get the active status; there is no output
if (false === exec('/usr/bin/systemctl is-active --quiet fail2ban', $output, $rv)) {
return false;
}