From: dominick.grift@gmail.com (Dominick Grift) Date: Tue, 30 Oct 2012 19:55:04 +0100 Subject: [refpolicy] [PATCH v2 1/1] Fail2ban client checks state of log files before telling the server In-Reply-To: <20121030184119.GA25324@siphos.be> References: <20121030184119.GA25324@siphos.be> Message-ID: <1351623304.4200.7.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 2012-10-30 at 19:41 +0100, Sven Vermeulen wrote: > When a (re)configuration occurs, fail2ban-client invokes an internal script > called jailreader which will look through the configured log files and check > their state before informing the server that these log files need to be > "watched". > > During this operation, fail2ban-client requires dac_read_search capability (in > case the log file/directory isn't owned by the same user that fail2ban-client > runs as, which is a very common case) as well as getattr rights on all log files > (and search privileges on the directories). > > Updated since previous patch with correct name for search_all_logs > > Signed-off-by: Sven Vermeulen > --- > fail2ban.te | 4 ++++ > 1 files changed, 4 insertions(+), 0 deletions(-) > > diff --git a/fail2ban.te b/fail2ban.te > index c7c6020..c40631f 100644 > --- a/fail2ban.te > +++ b/fail2ban.te > @@ -124,6 +124,7 @@ optional_policy(` > # Client Local policy > # > > +allow fail2ban_client_t self:capability dac_read_search; > allow fail2ban_client_t self:unix_stream_socket { create connect write read }; > > domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) > @@ -140,6 +141,9 @@ files_read_etc_files(fail2ban_client_t) > files_read_usr_files(fail2ban_client_t) > files_search_pids(fail2ban_client_t) > > +logging_getattr_all_logs(fail2ban_client_t) > +logging_search_all_logs(fail2ban_client_t) > + > miscfiles_read_localization(fail2ban_client_t) > > userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) Merged, thanks