From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 34106138010 for ; Tue, 30 Oct 2012 19:20:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9B30EE06EC; Tue, 30 Oct 2012 19:20:02 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 2D1C8E06EC for ; Tue, 30 Oct 2012 19:20:02 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 62A4933D88A for ; Tue, 30 Oct 2012 19:20:01 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id EE010E5436 for ; Tue, 30 Oct 2012 19:19:59 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1351624626.fba5fa9f3a58bd8e71cbfee549594832a70c492c.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/fail2ban.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: fba5fa9f3a58bd8e71cbfee549594832a70c492c X-VCS-Branch: master Date: Tue, 30 Oct 2012 19:19:59 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: cd7cdf96-0429-4883-a28e-ba62525217aa X-Archives-Hash: e37db87d8a9edf43b00d211388e1a1f8 commit: fba5fa9f3a58bd8e71cbfee549594832a70c492c Author: Sven Vermeulen siphos be> AuthorDate: Tue Oct 30 18:41:19 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Tue Oct 30 19:17:06 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fba5fa9f Fail2ban client checks state of log files before telling the server When a (re)configuration occurs, fail2ban-client invokes an internal script called jailreader which will look through the configured log files and check their state before informing the server that these log files need to be "watched". During this operation, fail2ban-client requires dac_read_search capability (in case the log file/directory isn't owned by the same user that fail2ban-client runs as, which is a very common case) as well as getattr rights on all log files (and search privileges on the directories). Updated since previous patch with correct name for search_all_logs Signed-off-by: Sven Vermeulen siphos.be> --- policy/modules/contrib/fail2ban.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/policy/modules/contrib/fail2ban.te b/policy/modules/contrib/fail2ban.te index 6232381..9faf50d 100644 --- a/policy/modules/contrib/fail2ban.te +++ b/policy/modules/contrib/fail2ban.te @@ -128,6 +128,7 @@ optional_policy(` # Client Local policy # +allow fail2ban_client_t self:capability dac_read_search; allow fail2ban_client_t self:unix_stream_socket { create connect write read }; domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) @@ -144,6 +145,9 @@ files_read_etc_files(fail2ban_client_t) files_read_usr_files(fail2ban_client_t) files_search_pids(fail2ban_client_t) +logging_getattr_all_logs(fail2ban_client_t) +logging_search_all_logs(fail2ban_client_t) + miscfiles_read_localization(fail2ban_client_t) userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)