[refpolicy] [PATCH v2 1/1] Fail2ban client checks state of log files before telling the server

[refpolicy] [PATCH v2 1/1] Fail2ban client checks state of log files before telling the server

[Sven Vermeulen]

When a (re)configuration occurs, fail2ban-client invokes an internal script
called jailreader which will look through the configured log files and check
their state before informing the server that these log files need to be
"watched".

During this operation, fail2ban-client requires dac_read_search capability (in
case the log file/directory isn't owned by the same user that fail2ban-client
runs as, which is a very common case) as well as getattr rights on all log files
(and search privileges on the directories).

Updated since previous patch with correct name for search_all_logs

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 fail2ban.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/fail2ban.te b/fail2ban.te
index c7c6020..c40631f 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -124,6 +124,7 @@ optional_policy(`
 # Client Local policy
 #
 
+allow fail2ban_client_t self:capability dac_read_search;
 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t)
 files_read_usr_files(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 
+logging_getattr_all_logs(fail2ban_client_t)
+logging_search_all_logs(fail2ban_client_t)
+
 miscfiles_read_localization(fail2ban_client_t)
 
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
-- 
1.7.8.6

[refpolicy] [PATCH v2 1/1] Fail2ban client checks state of log files before telling the server

[Dominick Grift]

On Tue, 2012-10-30 at 19:41 +0100, Sven Vermeulen wrote:
> When a (re)configuration occurs, fail2ban-client invokes an internal script
> called jailreader which will look through the configured log files and check
> their state before informing the server that these log files need to be
> "watched".
> 
> During this operation, fail2ban-client requires dac_read_search capability (in
> case the log file/directory isn't owned by the same user that fail2ban-client
> runs as, which is a very common case) as well as getattr rights on all log files
> (and search privileges on the directories).
> 
> Updated since previous patch with correct name for search_all_logs
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  fail2ban.te |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/fail2ban.te b/fail2ban.te
> index c7c6020..c40631f 100644
> --- a/fail2ban.te
> +++ b/fail2ban.te
> @@ -124,6 +124,7 @@ optional_policy(`
>  # Client Local policy
>  #
>  
> +allow fail2ban_client_t self:capability dac_read_search;
>  allow fail2ban_client_t self:unix_stream_socket { create connect write read };
>  
>  domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
> @@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t)
>  files_read_usr_files(fail2ban_client_t)
>  files_search_pids(fail2ban_client_t)
>  
> +logging_getattr_all_logs(fail2ban_client_t)
> +logging_search_all_logs(fail2ban_client_t)
> +
>  miscfiles_read_localization(fail2ban_client_t)
>  
>  userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)

Merged, thanks