From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Thu, 11 Apr 2013 10:34:35 +0200
Subject: [refpolicy] [PATCH 05/13] Allow reading /proc/self for fail2ban due
	to FAM support
In-Reply-To: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1365669283-22005-6-git-send-email-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using
Gamin, fail2ban launches a gam_server which, through FAM support, reads in
/proc/self.

As this gam_server is only for the fail2ban activities and all permissions
(except for read access to the fail2ban_t /proc itself), allow this in the
fail2ban_t domain instead of creating a new domain for gam_server and
transitioning to it.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 fail2ban.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/fail2ban.te b/fail2ban.te
index 0872e50..919358a 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms;
 allow fail2ban_t self:unix_stream_socket { accept connectto listen };
 allow fail2ban_t self:tcp_socket { accept listen };
 
+# Needed for FAM support
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
 append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
-- 
1.8.1.5