From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Fri, 19 Oct 2012 20:53:58 +0200
Subject: [refpolicy] [PATCH 5/7] Fail2ban client checks state of log files
	before telling the server
In-Reply-To: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
References: <1350672840-14590-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1350672840-14590-6-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

When a (re)configuration occurs, fail2ban-client invokes an internal script
called jailreader which will look through the configured log files and check
their state before informing the server that these log files need to be
"watched".

During this operation, fail2ban-client requires dac_read_search capability (in
case the log file/directory isn't owned by the same user that fail2ban-client
runs as, which is a very common case) as well as getattr rights on all log files
(and search privileges on the directories).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 fail2ban.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/fail2ban.te b/fail2ban.te
index 23b92bc..1c54353 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -124,6 +124,7 @@ optional_policy(`
 # Client Local policy
 #
 
+allow fail2ban_client_t self:capability dac_read_search;
 allow fail2ban_client_t self:unix_stream_socket { create connect write read };
 
 domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
@@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t)
 files_read_usr_files(fail2ban_client_t)
 files_search_pids(fail2ban_client_t)
 
+logging_getattr_all_logs(fail2ban_client_t)
+logging_search_all_log_dirs(fail2ban_client_t)
+
 miscfiles_read_localization(fail2ban_client_t)
 
 userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
-- 
1.7.8.6