Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Tue, 30 Oct 2012 19:20:13
Message-Id: 1351624626.fba5fa9f3a58bd8e71cbfee549594832a70c492c.SwifT@gentoo
1 commit: fba5fa9f3a58bd8e71cbfee549594832a70c492c
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Tue Oct 30 18:41:19 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Tue Oct 30 19:17:06 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fba5fa9f
7
8 Fail2ban client checks state of log files before telling the server
9
10 When a (re)configuration occurs, fail2ban-client invokes an internal script
11 called jailreader which will look through the configured log files and check
12 their state before informing the server that these log files need to be
13 "watched".
14
15 During this operation, fail2ban-client requires dac_read_search capability (in
16 case the log file/directory isn't owned by the same user that fail2ban-client
17 runs as, which is a very common case) as well as getattr rights on all log files
18 (and search privileges on the directories).
19
20 Updated since previous patch with correct name for search_all_logs
21
22 Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be>
23
24 ---
25 policy/modules/contrib/fail2ban.te | 4 ++++
26 1 files changed, 4 insertions(+), 0 deletions(-)
27
28 diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te
29 index 6232381..9faf50d 100644
30 --- a/policy/modules/contrib/fail2ban.te
31 +++ b/policy/modules/contrib/fail2ban.te
32 @@ -128,6 +128,7 @@ optional_policy(`
33 # Client Local policy
34 #
35
36 +allow fail2ban_client_t self:capability dac_read_search;
37 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
38
39 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
40 @@ -144,6 +145,9 @@ files_read_etc_files(fail2ban_client_t)
41 files_read_usr_files(fail2ban_client_t)
42 files_search_pids(fail2ban_client_t)
43
44 +logging_getattr_all_logs(fail2ban_client_t)
45 +logging_search_all_logs(fail2ban_client_t)
46 +
47 miscfiles_read_localization(fail2ban_client_t)
48
49 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
Report Message
Find on MARC Find on Google Groups