From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Tue, 30 Oct 2012 19:41:19 +0100 Subject: [refpolicy] [PATCH v2 1/1] Fail2ban client checks state of log files before telling the server Message-ID: <20121030184119.GA25324@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When a (re)configuration occurs, fail2ban-client invokes an internal script called jailreader which will look through the configured log files and check their state before informing the server that these log files need to be "watched". During this operation, fail2ban-client requires dac_read_search capability (in case the log file/directory isn't owned by the same user that fail2ban-client runs as, which is a very common case) as well as getattr rights on all log files (and search privileges on the directories). Updated since previous patch with correct name for search_all_logs Signed-off-by: Sven Vermeulen --- fail2ban.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/fail2ban.te b/fail2ban.te index c7c6020..c40631f 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -124,6 +124,7 @@ optional_policy(` # Client Local policy # +allow fail2ban_client_t self:capability dac_read_search; allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t) files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) +logging_getattr_all_logs(fail2ban_client_t) +logging_search_all_logs(fail2ban_client_t) + miscfiles_read_localization(fail2ban_client_t) userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) -- 1.7.8.6