Notification time stamped 2023-03-31 22:34:03 UTC
From ec52ec24716b4d6e820431dbe7b33aceb20112d0 Mon Sep 17 00:00:00 2001 From: Orion Poplawski orion@nwra.com Date: May 18 2022 03:46:41 +0000 Subject: Fix SELinux policy to allow watch on var_log_t (bz#2083923)
---
diff --git a/fail2ban.spec b/fail2ban.spec index 79c2608..9603304 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.2 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors
License: GPLv2+ @@ -407,6 +407,9 @@ fi
%changelog +* Wed May 18 2022 Orion Poplawski orion@nwra.com - 0.11.2-12 +- Fix SELinux policy to allow watch on var_log_t (bz#2083923) + * Fri Jan 28 2022 Orion Poplawski orion@nwra.com - 0.11.2-11 - Require /usr/bin/mail instead of mailx
diff --git a/fail2ban.te b/fail2ban.te index 8cbf7b3..6d36a70 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -45,7 +45,6 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
-#allow fail2ban_t fail2ban_log_t:file watch; append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) @@ -100,10 +99,18 @@ logging_read_syslog_pid(fail2ban_t) logging_dontaudit_search_audit_logs(fail2ban_t) logging_mmap_generic_logs(fail2ban_t) logging_mmap_journal(fail2ban_t) +allow fail2ban_t fail2ban_log_t:file watch; +# Not in EL9 yet #logging_watch_audit_log_files(fail2ban_t) +gen_require(` + type var_log_t, auditd_log_t; +') +watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t) #logging_watch_audit_log_dirs(fail2ban_t) -#logging_watch_generic_log_dirs(fail2ban_t) -#logging_watch_journal_dir(fail2ban_t) +allow fail2ban_t var_log_t:dir search_dir_perms; +watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t) +logging_watch_generic_log_dirs(fail2ban_t) +logging_watch_journal_dir(fail2ban_t)
mta_send_mail(fail2ban_t)
https://src.fedoraproject.org/rpms/fail2ban/c/ec52ec24716b4d6e820431dbe7b33a...