From: dominick.grift@gmail.com (Dominick Grift) Date: Wed, 17 Apr 2013 18:40:49 +0200 Subject: [refpolicy] [PATCH 05/13] Allow reading /proc/self for fail2ban due to FAM support In-Reply-To: <1365669283-22005-6-git-send-email-sven.vermeulen@siphos.be> References: <1365669283-22005-1-git-send-email-sven.vermeulen@siphos.be> <1365669283-22005-6-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1366216849.2803.44.camel@x220.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 2013-04-11 at 10:34 +0200, Sven Vermeulen wrote: > fail2ban supports file monitoring solutions like Gamin, Pyinotify. When using > Gamin, fail2ban launches a gam_server which, through FAM support, reads in > /proc/self. > > As this gam_server is only for the fail2ban activities and all permissions > (except for read access to the fail2ban_t /proc itself), allow this in the > fail2ban_t domain instead of creating a new domain for gam_server and > transitioning to it. > > Signed-off-by: Sven Vermeulen Merged, thanks You do not have to add in line comments as you have the git commit messages > --- > fail2ban.te | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fail2ban.te b/fail2ban.te > index 0872e50..919358a 100644 > --- a/fail2ban.te > +++ b/fail2ban.te > @@ -42,6 +42,9 @@ allow fail2ban_t self:fifo_file rw_fifo_file_perms; > allow fail2ban_t self:unix_stream_socket { accept connectto listen }; > allow fail2ban_t self:tcp_socket { accept listen }; > > +# Needed for FAM support > +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) > + > append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) > create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) > setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)