From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 11 Apr 2013 10:34:35 +0200 Subject: [refpolicy] [PATCH 05/13] Allow reading /proc/self for fail2ban due to FAM support In-Reply-To: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1365669283-22005-6-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using Gamin, fail2ban launches a gam_server which, through FAM support, reads in /proc/self. As this gam_server is only for the fail2ban activities and all permissions (except for read access to the fail2ban_t /proc itself), allow this in the fail2ban_t domain instead of creating a new domain for gam_server and transitioning to it. Signed-off-by: Sven Vermeulen --- fail2ban.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fail2ban.te b/fail2ban.te index 0872e50..919358a 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms; allow fail2ban_t self:unix_stream_socket { accept connectto listen }; allow fail2ban_t self:tcp_socket { accept listen }; +# Needed for FAM support +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) + append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) -- 1.8.1.5