diff --git a/.gitignore b/.gitignore index 39682b0..dd4b1af 100644 --- a/.gitignore +++ b/.gitignore @@ -20,3 +20,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.10.3.1.tar.gz /fail2ban-0.10.4.tar.gz /fail2ban-0.10.5.tar.gz +/fail2ban-0.11.1.tar.gz diff --git a/2605.patch b/2605.patch new file mode 100644 index 0000000..05e5646 --- /dev/null +++ b/2605.patch @@ -0,0 +1,152 @@ +From 3965d690b137152b2a0a6a46989178b5566cfd8e Mon Sep 17 00:00:00 2001 +From: Angelo Compagnucci +Date: Thu, 16 Jan 2020 12:05:13 +0100 +Subject: [PATCH 1/2] Revert "setup.py: adding option to install without tests" + +Test should actually removed from the stup data in finalize_options +instead of being added back. + +This reverts commit 9b918bba2f672780fb4469294d80ba7deb6b8cab. + +Signed-off-by: Angelo Compagnucci +--- + setup.py | 41 ++++++++++++++++------------------------- + 1 file changed, 16 insertions(+), 25 deletions(-) + +diff --git a/setup.py b/setup.py +index e476c5dd6..8da292683 100755 +--- a/setup.py ++++ b/setup.py +@@ -119,11 +119,9 @@ def update_scripts(self, dry_run=False): + class install_command_f2b(install): + user_options = install.user_options + [ + ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), +- ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): + self.disable_2to3 = None +- self.without_tests = None + install.initialize_options(self) + def finalize_options(self): + global _2to3 +@@ -134,28 +132,6 @@ def finalize_options(self): + cmdclass = self.distribution.cmdclass + cmdclass['build_py'] = build_py_2to3 + cmdclass['build_scripts'] = build_scripts_2to3 +- if not self.without_tests: +- self.distribution.scripts += [ +- 'bin/fail2ban-testcases', +- ] +- +- self.distribution.packages += [ +- 'fail2ban.tests', +- 'fail2ban.tests.action_d', +- ] +- +- self.distribution.package_data = { +- 'fail2ban.tests': +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/files') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/config') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/action_d') +- for f in w[2]] +- } + install.finalize_options(self) + def run(self): + install.run(self) +@@ -232,20 +208,35 @@ def run(self): + license = "GPL", + platforms = "Posix", + cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, ++ 'build_py': build_py, 'build_scripts': build_scripts, + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b + }, + scripts = [ + 'bin/fail2ban-client', + 'bin/fail2ban-server', + 'bin/fail2ban-regex', ++ 'bin/fail2ban-testcases', + # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper + ], + packages = [ + 'fail2ban', + 'fail2ban.client', + 'fail2ban.server', ++ 'fail2ban.tests', ++ 'fail2ban.tests.action_d', + ], ++ package_data = { ++ 'fail2ban.tests': ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/files') ++ for f in w[2]] + ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/config') ++ for f in w[2]] + ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/action_d') ++ for f in w[2]] ++ }, + data_files = [ + ('/etc/fail2ban', + glob("config/*.conf") + +From 5fa1f69264d3c23793f64c03c96737d54555e919 Mon Sep 17 00:00:00 2001 +From: Angelo Compagnucci +Date: Thu, 16 Jan 2020 12:28:42 +0100 +Subject: [PATCH 2/2] setup.py: adding option to install without tests + +Tests files are not always needed especially when installing on low +resource systems like an embedded one. +This patch adds the --without-tests option to skip installing the +tests files. + +Signed-off-by: Angelo Compagnucci +--- + setup.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 8da292683..ce1eedf68 100755 +--- a/setup.py ++++ b/setup.py +@@ -119,9 +119,11 @@ def update_scripts(self, dry_run=False): + class install_command_f2b(install): + user_options = install.user_options + [ + ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), ++ ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): + self.disable_2to3 = None ++ self.without_tests = None + install.initialize_options(self) + def finalize_options(self): + global _2to3 +@@ -132,6 +134,13 @@ def finalize_options(self): + cmdclass = self.distribution.cmdclass + cmdclass['build_py'] = build_py_2to3 + cmdclass['build_scripts'] = build_scripts_2to3 ++ if self.without_tests: ++ self.distribution.scripts.remove('bin/fail2ban-testcases') ++ ++ self.distribution.packages.remove('fail2ban.tests') ++ self.distribution.packages.remove('fail2ban.tests.action_d') ++ ++ del self.distribution.package_data['fail2ban.tests'] + install.finalize_options(self) + def run(self): + install.run(self) +@@ -208,7 +217,7 @@ def run(self): + license = "GPL", + platforms = "Posix", + cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, ++ 'build_py': build_py, 'build_scripts': build_scripts, + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b + }, + scripts = [ diff --git a/2651.patch b/2651.patch new file mode 100644 index 0000000..520d5d2 --- /dev/null +++ b/2651.patch @@ -0,0 +1,65 @@ +From 781a25512b107828aff71998c19f2fa4dbf471c1 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Fri, 6 Mar 2020 19:04:39 +0100 +Subject: [PATCH 1/4] travis CI: add 3.9-dev as target + +--- + .travis.yml | 1 + + 1 file changed, 1 insertion(+) + +--- a/fail2ban/server/jailthread.py ++++ b/fail2ban/server/jailthread.py +@@ -120,3 +120,6 @@ class JailThread(Thread): + ## python 2.x replace binding of private __bootstrap method: + if sys.version_info < (3,): # pragma: 3.x no cover + JailThread._Thread__bootstrap = JailThread._JailThread__bootstrap ++## python 3.9, restore isAlive method: ++elif not hasattr(JailThread, 'isAlive'): # pragma: 2.x no cover ++ JailThread.isAlive = JailThread.is_alive +--- a/fail2ban/tests/sockettestcase.py ++++ b/fail2ban/tests/sockettestcase.py +@@ -87,7 +87,7 @@ class Socket(LogCaptureTestCase): + def _stopServerThread(self): + serverThread = self.serverThread + # wait for end of thread : +- Utils.wait_for(lambda: not serverThread.isAlive() ++ Utils.wait_for(lambda: not serverThread.is_alive() + or serverThread.join(Utils.DEFAULT_SLEEP_TIME), unittest.F2B.maxWaitTime(10)) + self.serverThread = None + +@@ -98,7 +98,7 @@ class Socket(LogCaptureTestCase): + self.server.close() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + # clean : + self.server.stop() + self.assertFalse(self.server.isActive()) +@@ -139,7 +139,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + +@@ -180,7 +180,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + + def testLoopErrors(self): + # replace poll handler to produce error in loop-cycle: +@@ -216,7 +216,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + diff --git a/343ec1cdd296530f331637c725bd2bb0549e01e6.patch b/343ec1cdd296530f331637c725bd2bb0549e01e6.patch new file mode 100644 index 0000000..fb597ad --- /dev/null +++ b/343ec1cdd296530f331637c725bd2bb0549e01e6.patch @@ -0,0 +1,54 @@ +From 343ec1cdd296530f331637c725bd2bb0549e01e6 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Wed, 18 Mar 2020 20:37:25 +0100 +Subject: [PATCH] test-causes: avoid host-depending issue (mistakenly ignoring + IP 127.0.0.2 as own address) - replace loop-back addr with test sub-net addr + (and disable ignoreself) + +--- + fail2ban/tests/observertestcase.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py +index 8e9444548..e379ccd18 100644 +--- a/fail2ban/tests/observertestcase.py ++++ b/fail2ban/tests/observertestcase.py +@@ -36,7 +36,6 @@ + from ..server.observer import Observers, ObserverThread + from ..server.utils import Utils + from .utils import LogCaptureTestCase +-from ..server.filter import Filter + from .dummyjail import DummyJail + + from .databasetestcase import getFail2BanDb, Fail2BanDb +@@ -224,7 +223,7 @@ def testBanTimeIncr(self): + jail.actions.setBanTime(10) + jail.setBanTimeExtra('increment', 'true') + jail.setBanTimeExtra('multipliers', '1 2 4 8 16 32 64 128 256 512 1024 2048') +- ip = "127.0.0.2" ++ ip = "192.0.2.1" + # used as start and fromtime (like now but time independence, cause test case can run slow): + stime = int(MyTime.time()) + ticket = FailTicket(ip, stime, []) +@@ -385,10 +384,12 @@ def testBanTimeIncr(self): + + # two separate jails : + jail1 = DummyJail(backend='polling') ++ jail1.filter.ignoreSelf = False + jail1.setBanTimeExtra('increment', 'true') + jail1.database = self.db + self.db.addJail(jail1) + jail2 = DummyJail(name='DummyJail-2', backend='polling') ++ jail2.filter.ignoreSelf = False + jail2.database = self.db + self.db.addJail(jail2) + ticket1 = FailTicket(ip, stime, []) +@@ -477,7 +478,7 @@ def testObserver(self): + self.assertEqual(tickets, []) + + # add failure: +- ip = "127.0.0.2" ++ ip = "192.0.2.1" + ticket = FailTicket(ip, stime-120, []) + failManager = FailManager() + failManager.setMaxRetry(3) diff --git a/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch new file mode 100644 index 0000000..abc806c --- /dev/null +++ b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch @@ -0,0 +1,213 @@ +From 8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Wed, 15 Jan 2020 19:22:53 +0100 +Subject: [PATCH] closes #2596: fixed supplying of backend-related `logtype` to + the jail filter - don't merge it (provide as init parameter if not set in + definition section), init parameters don't affect config-cache (better + implementation as in #2387 and it covered now with new test) + +--- + MANIFEST | 2 ++ + fail2ban/client/configreader.py | 8 +++-- + fail2ban/client/fail2banregex.py | 7 ++--- + fail2ban/client/filterreader.py | 8 +++++ + fail2ban/client/jailreader.py | 7 ++--- + fail2ban/tests/clientreadertestcase.py | 17 +++++++++- + .../tests/config/filter.d/checklogtype.conf | 31 +++++++++++++++++++ + .../config/filter.d/checklogtype_test.conf | 12 +++++++ + fail2ban/tests/config/jail.conf | 25 +++++++++++++++ + 9 files changed, 104 insertions(+), 13 deletions(-) + create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf + create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf + +--- a/MANIFEST ++++ b/MANIFEST +@@ -227,6 +227,8 @@ fail2ban/tests/clientreadertestcase.py + fail2ban/tests/config/action.d/action.conf + fail2ban/tests/config/action.d/brokenaction.conf + fail2ban/tests/config/fail2ban.conf ++fail2ban/tests/config/filter.d/checklogtype.conf ++fail2ban/tests/config/filter.d/checklogtype_test.conf + fail2ban/tests/config/filter.d/simple.conf + fail2ban/tests/config/filter.d/test.conf + fail2ban/tests/config/filter.d/test.local +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -120,6 +120,10 @@ class ConfigReader(): + except AttributeError: + return False + ++ def has_option(self, sec, opt, withDefault=True): ++ return self._cfg.has_option(sec, opt) if withDefault \ ++ else opt in self._cfg._sections.get(sec, {}) ++ + def merge_defaults(self, d): + self._cfg.get_defaults().update(d) + +@@ -261,8 +265,8 @@ class ConfigReaderUnshared(SafeConfigPar + logSys.warning("'%s' not defined in '%s'. Using default one: %r" + % (optname, sec, optvalue)) + values[optname] = optvalue +- elif logSys.getEffectiveLevel() <= logLevel: +- logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec) ++ # elif logSys.getEffectiveLevel() <= logLevel: ++ # logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec) + except ValueError: + logSys.warning("Wrong value for '" + optname + "' in '" + sec + + "'. Using default one: '" + repr(optvalue) + "'") +--- a/fail2ban/client/fail2banregex.py ++++ b/fail2ban/client/fail2banregex.py +@@ -372,11 +372,8 @@ class Fail2banRegex(object): + if not ret: + output( "ERROR: failed to load filter %s" % value ) + return False +- # overwrite default logtype (considering that the filter could specify this too in Definition/Init sections): +- if not fltOpt.get('logtype'): +- reader.merge_defaults({ +- 'logtype': ['file','journal'][int(self._backend.startswith("systemd"))] +- }) ++ # set backend-related options (logtype): ++ reader.applyAutoOptions(self._backend) + # get, interpolate and convert options: + reader.getOptions(None) + # show real options if expected: +--- a/fail2ban/client/filterreader.py ++++ b/fail2ban/client/filterreader.py +@@ -53,6 +53,14 @@ class FilterReader(DefinitionInitConfigR + def getFile(self): + return self.__file + ++ def applyAutoOptions(self, backend): ++ # set init option to backend-related logtype, considering ++ # that the filter settings may be overwritten in its local: ++ if (not self._initOpts.get('logtype') and ++ not self.has_option('Definition', 'logtype', False) ++ ): ++ self._initOpts['logtype'] = ['file','journal'][int(backend.startswith("systemd"))] ++ + def convert(self): + stream = list() + opts = self.getCombined() +--- a/fail2ban/client/jailreader.py ++++ b/fail2ban/client/jailreader.py +@@ -149,11 +149,8 @@ class JailReader(ConfigReader): + ret = self.__filter.read() + if not ret: + raise JailDefError("Unable to read the filter %r" % filterName) +- if not filterOpt.get('logtype'): +- # overwrite default logtype backend-related (considering that the filter settings may be overwritten): +- self.__filter.merge_defaults({ +- 'logtype': ['file','journal'][int(self.__opts.get('backend', '').startswith("systemd"))] +- }) ++ # set backend-related options (logtype): ++ self.__filter.applyAutoOptions(self.__opts.get('backend', '')) + # merge options from filter as 'known/...' (all options unfiltered): + self.__filter.getOptions(self.__opts, all=True) + ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/') +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -328,7 +328,22 @@ class JailReaderTest(LogCaptureTestCase) + self.assertFalse(len(o) > 2 and o[2].endswith('regex')) + i += 1 + if i > usednsidx: break +- ++ ++ def testLogTypeOfBackendInJail(self): ++ unittest.F2B.SkipIfCfgMissing(stock=True); # expected include of common.conf ++ # test twice to check cache works peoperly: ++ for i in (1, 2): ++ # backend-related, overwritten in definition, specified in init parameters: ++ for prefline in ('JRNL', 'FILE', 'TEST', 'INIT'): ++ jail = JailReader('checklogtype_'+prefline.lower(), basedir=IMPERFECT_CONFIG, ++ share_config=IMPERFECT_CONFIG_SHARE_CFG, force_enable=True) ++ self.assertTrue(jail.read()) ++ self.assertTrue(jail.getOptions()) ++ stream = jail.convert() ++ # 'JRNL' for systemd, 'FILE' for file backend, 'TEST' for custom logtype (overwrite it): ++ self.assertEqual([['set', jail.getName(), 'addfailregex', '^%s failure from $' % prefline]], ++ [o for o in stream if len(o) > 2 and o[2] == 'addfailregex']) ++ + def testSplitOption(self): + # Simple example + option = "mail-whois[name=SSH]" +--- /dev/null ++++ b/fail2ban/tests/config/filter.d/checklogtype.conf +@@ -0,0 +1,31 @@ ++# Fail2Ban configuration file ++# ++ ++[INCLUDES] ++ ++# Read common prefixes (logtype is set in default section) ++before = ../../../../config/filter.d/common.conf ++ ++[Definition] ++ ++_daemon = test ++ ++failregex = ^/__prefix_line> failure from $ ++ignoreregex = ++ ++# following sections define prefix line considering logtype: ++ ++# backend-related (retrieved from backend, overwrite default): ++[lt_file] ++__prefix_line = FILE ++ ++[lt_journal] ++__prefix_line = JRNL ++ ++# specified in definition section of filter (see filter checklogtype_test.conf): ++[lt_test] ++__prefix_line = TEST ++ ++# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init): ++[lt_init] ++__prefix_line = INIT +--- /dev/null ++++ b/fail2ban/tests/config/filter.d/checklogtype_test.conf +@@ -0,0 +1,12 @@ ++# Fail2Ban configuration file ++# ++ ++[INCLUDES] ++ ++# Read common prefixes (logtype is set in default section) ++before = checklogtype.conf ++ ++[Definition] ++ ++# overwrite logtype in definition (no backend anymore): ++logtype = test +\ No newline at end of file +--- a/fail2ban/tests/config/jail.conf ++++ b/fail2ban/tests/config/jail.conf +@@ -74,3 +74,28 @@ journalmatch = _COMM=test + maxlines = 2 + usedns = no + enabled = false ++ ++[checklogtype_jrnl] ++filter = checklogtype ++backend = systemd ++action = action ++enabled = false ++ ++[checklogtype_file] ++filter = checklogtype ++backend = polling ++logpath = README.md ++action = action ++enabled = false ++ ++[checklogtype_test] ++filter = checklogtype_test ++backend = systemd ++action = action ++enabled = false ++ ++[checklogtype_init] ++filter = checklogtype_test[logtype=init] ++backend = systemd ++action = action ++enabled = false diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..70b552a --- /dev/null +++ b/Makefile @@ -0,0 +1,26 @@ +TARGET?=fail2ban +MODULES?=${TARGET:=.pp.bz2} +SHAREDIR?=/usr/share + +all: ${TARGET:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\> $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHAREDIR}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp *.tar.gz + +man: install-policy + sepolicy manpage --path . --domain ${TARGET}_t + +install-policy: all + semodule -i ${TARGET}.pp.bz2 + +install: man + install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 + install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/fail2ban.fc b/fail2ban.fc new file mode 100644 index 0000000..4da938f --- /dev/null +++ b/fail2ban.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + +/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.if b/fail2ban.if new file mode 100644 index 0000000..94e1936 --- /dev/null +++ b/fail2ban.if @@ -0,0 +1,313 @@ +## Update firewall filtering to ban IP addresses with too many password failures. + +######################################## +## +## Execute a domain transition to run fail2ban. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans',` + gen_require(` + type fail2ban_t, fail2ban_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) +') + +####################################### +## +## Execute the fail2ban client in +## the fail2ban client domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans_client',` + gen_require(` + type fail2ban_client_t, fail2ban_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) +') + +####################################### +## +## Execute fail2ban client in the +## fail2ban client domain, and allow +## the specified role the fail2ban +## client domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`fail2ban_run_client',` + gen_require(` + attribute_role fail2ban_client_roles; + ') + + fail2ban_domtrans_client($1) + roleattribute $2 fail2ban_client_roles; +') + +##################################### +## +## Connect to fail2ban over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_stream_connect',` + gen_require(` + type fail2ban_t, fail2ban_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +') + +######################################## +## +## Read and write inherited temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_inherited_tmp_files',` + gen_require(` + type fail2ban_tmp_t; + ') + + files_search_tmp($1) + allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## +## Read and write to an fail2ba unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +') + +####################################### +## +## Do not audit attempts to use +## fail2ban file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_use_fds',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:fd use; +') + +####################################### +## +## Do not audit attempts to read and +## write fail2ban unix stream sockets +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## +## Read fail2ban lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_lib_files',` + gen_require(` + type fail2ban_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) +') + +######################################## +## +## Allow the specified domain to read fail2ban's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fail2ban_read_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file read_file_perms; +') + +######################################## +## +## Allow the specified domain to append +## fail2ban log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_append_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; +') + +######################################## +## +## Read fail2ban PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_pid_files',` + gen_require(` + type fail2ban_var_run_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_run_t:file read_file_perms; +') + +######################################## +## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_leaks',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:tcp_socket { read write }; + dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## +## All of the rules required to administrate +## an fail2ban environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the fail2ban domain. +## +## +## +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; + type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; + type fail2ban_client_t; + ') + + allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + + tunable_policy(`deny_ptrace',`',` + allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') + + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + + files_list_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) +') diff --git a/fail2ban.spec b/fail2ban.spec index f17c7d4..22f73c2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,10 +1,16 @@ -Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban -Version: 0.10.5 -Release: 2%{?dist} +Version: 0.11.1 +Release: 6%{?dist} +Summary: Daemon to ban hosts that cause multiple authentication errors + License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +# SELinux policy +Source1: fail2ban.fc +Source2: fail2ban.if +Source3: fail2ban.te +Source4: Makefile # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 @@ -13,17 +19,25 @@ Patch0: fail2ban-partof.patch Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch # testIPAddr_CompareDNS: add missing network constraint Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch -# FIx test thread stack size on aarch64 +# Fix test thread stack size on aarch64 Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch - -BuildRequires: python-devel +# Fix handling of journal in tests +Patch4: https://github.com/fail2ban/fail2ban/commit/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch +# Fix test install +Patch5: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2605.patch +# Patch for Python 3.9 +# https://bugzilla.redhat.com/show_bug.cgi?id=1808347 +Patch6: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2651.patch +Patch7: https://github.com/fail2ban/fail2ban/commit/343ec1cdd296530f331637c725bd2bb0549e01e6.patch + +BuildRequires: python3-devel +BuildRequires: /usr/bin/2to3 # For testcases -BuildRequires: python-inotify +BuildRequires: python3-inotify BuildRequires: sqlite BuildArch: noarch -%if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: systemd -%endif +BuildRequires: selinux-policy-devel # Default components Requires: %{name}-firewalld = %{version}-%{release} Requires: %{name}-sendmail = %{version}-%{release} @@ -47,21 +61,25 @@ sub-packages are available to install support for other actions and configurations. +%package selinux +Summary: SELinux policies for Fail2Ban +%{?selinux_requires} +%global modulename fail2ban +%global selinuxtype targeted + +%description selinux +SELinux policies for Fail2Ban. + + %package server Summary: Core server component for Fail2Ban -%if 0%{?fedora} || 0%{?rhel} >= 7 -Requires: systemd-python +Requires: python3-systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%else -Requires: initscripts -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/chkconfig -Requires(preun): /sbin/service -%endif Requires: ipset Requires: iptables +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %description server This package contains the core server components for Fail2Ban with minimal @@ -79,9 +97,10 @@ Requires: %{name}-server = %{version}-%{release} Requires: %{name}-shorewall = %{version}-%{release} # Currently this breaks jails that don't log to the journal #Requires: %{name}-systemd = %{version}-%{release} -Requires: gamin-python -Requires: perl -Requires: python-inotify +# No python3 support for gamin +#Requires: gamin-python +Requires: perl-interpreter +Requires: python3-inotify Requires: /usr/bin/whois %description all @@ -160,20 +179,25 @@ by default. # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf +2to3 --write --nobackups . +find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + + +# SELinux sources +cp -p %SOURCE1 %SOURCE2 %SOURCE3 . + %build -%py_build +%py3_build +make -f %SOURCE4 %install -%py_install +%py3_install + +# Make symbolic link relative +ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python -%if 0%{?fedora} || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ -%else -mkdir -p %{buildroot}%{_initddir} -install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban -%endif mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 @@ -182,25 +206,27 @@ install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate. install -d -m 0755 %{buildroot}/run/fail2ban/ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ -%if 0%{?fedora} || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf -%endif + # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf + # Remove config files for other distros rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf + # firewalld configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <] -banaction_allports = firewallcmd-ipset[actiontype=] +banaction = firewallcmd-rich-rules[actiontype=] +banaction_allports = firewallcmd-rich-rules[actiontype=] EOF + # systemd journal configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf < %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <= 7 %systemd_post fail2ban.service -%else -/sbin/chkconfig --add %{name} -%endif %preun server -%if 0%{?fedora} || 0%{?rhel} >= 7 %systemd_preun fail2ban.service -%else -if [ $1 = 0 ]; then - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -fi -%endif -%if 0%{?fedora} || 0%{?rhel} >= 7 %postun server %systemd_postun_with_restart fail2ban.service -%endif + %files +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%license COPYING + %files server %doc README.md TODO ChangeLog COPYING doc/*.txt %{_bindir}/fail2ban-client %{_bindir}/fail2ban-python %{_bindir}/fail2ban-regex %{_bindir}/fail2ban-server -%{python2_sitelib}/* -%exclude %{python2_sitelib}/fail2ban/tests -%if 0%{?fedora} || 0%{?rhel} >= 7 +%{python3_sitelib}/* +%exclude %{python3_sitelib}/fail2ban/tests %{_unitdir}/fail2ban.service -%else -%{_initddir}/fail2ban -%endif %{_mandir}/man1/fail2ban.1* %{_mandir}/man1/fail2ban-client.1* %{_mandir}/man1/fail2ban-python.1* @@ -274,9 +308,7 @@ fi %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban -%if 0%{?fedora} || 0%{?rhel} >= 7 %{_tmpfilesdir}/fail2ban.conf -%endif %dir %{_localstatedir}/lib/fail2ban/ %dir /run/%{name}/ %ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid @@ -292,7 +324,7 @@ fi %files tests %{_bindir}/fail2ban-testcases %{_mandir}/man1/fail2ban-testcases.1* -%{python2_sitelib}/fail2ban/tests +%{python3_sitelib}/fail2ban/tests %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf @@ -312,24 +344,104 @@ fi %changelog -* Tue Jan 21 2020 Orion Poplawski - 0.10.5-2 +* Thu Apr 16 2020 Richard Shaw - 0.11.1-6 +- Change default firewalld backend from ipset to rich-rules as ipset causes + firewalld to use legacy iptables. Fixes RHBZ#1823746. +- Remove conditionals for EL versions less than 7. + +* Thu Mar 19 2020 Richard Shaw - 0.11.1-5 +- Update for Python 3.9. + +* Wed Feb 26 2020 Orion Poplawski - 0.11.1-4 +- Add SELinux policy + +* Tue Jan 28 2020 Fedora Release Engineering - 0.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 21 2020 Orion Poplawski - 0.11.1-2 - Move action.d/mail-whois-common.conf into fail2ban-server +* Tue Jan 14 2020 Orion Poplawski - 0.11.1-1 +- Update to 0.11.1 + * Tue Jan 14 2020 Orion Poplawski - 0.10.5-1 - Update to 0.10.5 -* Sat Nov 23 2019 Orion Poplawski - 0.10.4-1 -- Update to 0.10.4 +* Thu Nov 21 2019 Orion Poplawski - 0.10.4-8 - Define banaction_allports for firewalld, update banaction (bz#1775175) - Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625) + +* Thu Oct 31 2019 Orion Poplawski - 0.10.4-7 - Remove config files for other distros (bz#1533113) +* Thu Oct 03 2019 Miro Hrončok - 0.10.4-6 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 0.10.4-5 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 Fedora Release Engineering - 0.10.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.10.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sun Nov 18 2018 Zbigniew Jędrzejewski-Szmek - 0.10.4-2 +- Drop explicit locale setting + See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot + +* Fri Oct 5 2018 Orion Poplawski - 0.10.4-1 +- Update to 0.10.4 + +* Fri Jul 13 2018 Fedora Release Engineering - 0.10.3.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Tue Jun 19 2018 Orion Poplawski - 0.10.3.1-2 +- Remove PartOf ipset.service (bug #1573185) + +* Tue Jun 19 2018 Orion Poplawski - 0.10.3.1-1 +- Update to 0.10.3.1 + +* Tue Jun 19 2018 Miro Hrončok - 0.10.2-2 +- Rebuilt for Python 3.7 + +* Wed Mar 28 2018 Orion Poplawski - 0.10.2-1 +- Update to 0.10.2 + +* Wed Feb 07 2018 Fedora Release Engineering - 0.10.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Dec 30 2017 Orion Poplawski - 0.10.1-3 +- Add upstream patch to fix ipset issue (bug #1525134) + +* Sat Dec 30 2017 Orion Poplawski - 0.10.1-2 +- Add upstream patch to fix buildroot issue + +* Tue Nov 14 2017 Orion Poplawski - 0.10.1-1 +- Update to 0.10.1 + +* Wed Sep 20 2017 Orion Poplawski - 0.10.0-1 +- Update to 0.10.0 + +* Wed Aug 16 2017 Orion Poplawski - 0.9.7-4 +- Use BR /usr/bin/2to3 + +* Wed Jul 26 2017 Fedora Release Engineering - 0.9.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Thu Jul 13 2017 Petr Pisar - 0.9.7-2 +- perl dependency renamed to perl-interpreter + + * Wed Jul 12 2017 Orion Poplawski - 0.9.7-1 - Update to 0.9.7 -* Wed Feb 15 2017 Orion Poplawski - 0.9.6-3 +* Wed Feb 15 2017 Orion Poplawski - 0.9.6-4 - Properly handle /run/fail2ban (bug #1422500) +* Fri Feb 10 2017 Fedora Release Engineering - 0.9.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + * Tue Jan 10 2017 Orion Poplawski - 0.9.6-2 - Add upstream patch to fix fail2ban-regex with journal @@ -359,6 +471,12 @@ fi - Update to 0.9.5 - Drop mysql patch applied upstream +* Tue Jul 19 2016 Fedora Release Engineering - 0.9.4-6 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Tue Apr 5 2016 Orion Poplawski - 0.9.4-5 +- Fix python3 usage (bug #1324113) + * Sun Mar 27 2016 Orion Poplawski - 0.9.4-4 - Use %%{_tmpfilesdir} for systemd tmpfile config @@ -372,6 +490,9 @@ fi - Update to 0.9.4 - Use mariadb log path by default +* Tue Feb 23 2016 Orion Poplawski - 0.9.3-3 +- Use python3 (bug #1282498) + * Wed Feb 03 2016 Fedora Release Engineering - 0.9.3-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild diff --git a/fail2ban.te b/fail2ban.te new file mode 100644 index 0000000..302f4bc --- /dev/null +++ b/fail2ban.te @@ -0,0 +1,191 @@ +policy_module(fail2ban, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role fail2ban_client_roles; + +type fail2ban_t; +type fail2ban_exec_t; +init_daemon_domain(fail2ban_t, fail2ban_exec_t) + +type fail2ban_initrc_exec_t; +init_script_file(fail2ban_initrc_exec_t) + +type fail2ban_log_t; +logging_log_file(fail2ban_log_t) + +type fail2ban_var_lib_t; +files_type(fail2ban_var_lib_t) + +type fail2ban_var_run_t; +files_pid_file(fail2ban_var_run_t) + +type fail2ban_tmp_t; +files_tmp_file(fail2ban_tmp_t) + +type fail2ban_client_t; +type fail2ban_client_exec_t; +init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) +role fail2ban_client_roles types fail2ban_client_t; + +######################################## +# +# Server Local policy +# + +allow fail2ban_t self:capability { dac_read_search sys_tty_config }; +allow fail2ban_t self:process { getpgid setsched signal }; +allow fail2ban_t self:fifo_file rw_fifo_file_perms; +allow fail2ban_t self:unix_stream_socket { accept connectto listen }; +allow fail2ban_t self:tcp_socket { accept listen }; +allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; + +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) + +append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + +manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) + +kernel_read_system_state(fail2ban_t) +kernel_read_network_state(fail2ban_t) +kernel_read_net_sysctls(fail2ban_t) + +corecmd_exec_bin(fail2ban_t) +corecmd_exec_shell(fail2ban_t) + +corenet_all_recvfrom_netlabel(fail2ban_t) +corenet_tcp_sendrecv_generic_if(fail2ban_t) +corenet_tcp_sendrecv_generic_node(fail2ban_t) + +corenet_sendrecv_whois_client_packets(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_tcp_sendrecv_whois_port(fail2ban_t) + +dev_read_urand(fail2ban_t) +dev_read_sysfs(fail2ban_t) + +domain_use_interactive_fds(fail2ban_t) +domain_dontaudit_read_all_domains_state(fail2ban_t) + +files_read_etc_runtime_files(fail2ban_t) +files_list_var(fail2ban_t) +files_dontaudit_list_tmp(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) +fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) + +logging_read_all_logs(fail2ban_t) +logging_read_audit_log(fail2ban_t) +logging_send_syslog_msg(fail2ban_t) +logging_read_syslog_pid(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) +logging_mmap_generic_logs(fail2ban_t) +logging_mmap_journal(fail2ban_t) + +mta_send_mail(fail2ban_t) + +sysnet_manage_config(fail2ban_t) + +optional_policy(` + apache_read_log(fail2ban_t) +') + +optional_policy(` + dbus_system_bus_client(fail2ban_t) + dbus_connect_system_bus(fail2ban_t) + + optional_policy(` + firewalld_dbus_chat(fail2ban_t) + ') +') + +optional_policy(` + ftp_read_log(fail2ban_t) +') + +optional_policy(` + gnome_dontaudit_search_config(fail2ban_t) +') + +optional_policy(` + iptables_domtrans(fail2ban_t) +') + +optional_policy(` + allow fail2ban_t self:capability sys_resource; + allow fail2ban_t self:process setrlimit; + journalctl_exec(fail2ban_t) +') + +optional_policy(` + libs_exec_ldconfig(fail2ban_t) +') + +optional_policy(` + rpm_exec(fail2ban_t) +') + +optional_policy(` + shorewall_domtrans(fail2ban_t) +') + +######################################## +# +# Client Local policy +# + +allow fail2ban_client_t self:capability { dac_read_search }; +allow fail2ban_client_t self:unix_stream_socket { create connect write read }; + +domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + +allow fail2ban_client_t fail2ban_t:process { rlimitinh }; + +dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; +allow fail2ban_client_t fail2ban_var_run_t:dir write; +stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + +kernel_read_system_state(fail2ban_client_t) + +corecmd_exec_bin(fail2ban_client_t) + +dev_read_urand(fail2ban_client_t) +dev_read_rand(fail2ban_client_t) + +domain_use_interactive_fds(fail2ban_client_t) + +files_search_pids(fail2ban_client_t) + +auth_use_nsswitch(fail2ban_client_t) + +libs_exec_ldconfig(fail2ban_client_t) + +logging_getattr_all_logs(fail2ban_client_t) +logging_search_all_logs(fail2ban_client_t) +logging_read_audit_log(fail2ban_client_t) + +userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) +userdom_use_user_terminals(fail2ban_client_t) + +optional_policy(` + apache_read_log(fail2ban_client_t) +') diff --git a/sources b/sources index 96975ca..585083b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6 +SHA512 (fail2ban-0.11.1.tar.gz) = 019b088aa6375f98742ed101ef6f65adabca3324444d71d5b8597a8d1d22fa76b9f503660f0498643fe24a3b8e4368de916072a1ab77b8e2ea3eda41c3e0c8c6