1 |
commit: fba5fa9f3a58bd8e71cbfee549594832a70c492c |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Tue Oct 30 18:41:19 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Tue Oct 30 19:17:06 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fba5fa9f |
7 |
|
8 |
Fail2ban client checks state of log files before telling the server |
9 |
|
10 |
When a (re)configuration occurs, fail2ban-client invokes an internal script |
11 |
called jailreader which will look through the configured log files and check |
12 |
their state before informing the server that these log files need to be |
13 |
"watched". |
14 |
|
15 |
During this operation, fail2ban-client requires dac_read_search capability (in |
16 |
case the log file/directory isn't owned by the same user that fail2ban-client |
17 |
runs as, which is a very common case) as well as getattr rights on all log files |
18 |
(and search privileges on the directories). |
19 |
|
20 |
Updated since previous patch with correct name for search_all_logs |
21 |
|
22 |
Signed-off-by: Sven Vermeulen <sven.vermeulen <AT> siphos.be> |
23 |
|
24 |
--- |
25 |
policy/modules/contrib/fail2ban.te | 4 ++++ |
26 |
1 files changed, 4 insertions(+), 0 deletions(-) |
27 |
|
28 |
diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te |
29 |
index 6232381..9faf50d 100644 |
30 |
--- a/policy/modules/contrib/fail2ban.te |
31 |
+++ b/policy/modules/contrib/fail2ban.te |
32 |
@@ -128,6 +128,7 @@ optional_policy(` |
33 |
# Client Local policy |
34 |
# |
35 |
|
36 |
+allow fail2ban_client_t self:capability dac_read_search; |
37 |
allow fail2ban_client_t self:unix_stream_socket { create connect write read }; |
38 |
|
39 |
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) |
40 |
@@ -144,6 +145,9 @@ files_read_etc_files(fail2ban_client_t) |
41 |
files_read_usr_files(fail2ban_client_t) |
42 |
files_search_pids(fail2ban_client_t) |
43 |
|
44 |
+logging_getattr_all_logs(fail2ban_client_t) |
45 |
+logging_search_all_logs(fail2ban_client_t) |
46 |
+ |
47 |
miscfiles_read_localization(fail2ban_client_t) |
48 |
|
49 |
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) |