commit:     dc2ab995ed353dbd547b1522a60330abe448aff4
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun  9 13:26:55 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun  9 13:26:55 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=dc2ab995

Fail2ban smoketest fixes

This partially fixes some of the reported issues in bug #534256. More
specifically, fail2ban fails to start because
- fail2ban-client is invoked from the service and checks if it has write
  privileges on /run/fail2ban (although it does not by itself use it
  further).
- fail2ban init script creates /run/fail2ban so a file transition is
  needed
- output should be captured when an init script is used, hence allow
  fail2ban_client_t access to the initrc script ptys.

X-Gentoo-Bug: 534256

 policy/modules/contrib/fail2ban.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/contrib/fail2ban.te 
b/policy/modules/contrib/fail2ban.te
index 6b9fb7e..bc6bd8e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -159,6 +159,12 @@ ifdef(`distro_gentoo',`
 
        # Python compilation    
        files_dontaudit_write_usr_dirs(fail2ban_t)
+
+       # Fix bug 534256 - Startup fails without these
+       allow fail2ban_client_t fail2ban_var_run_t:dir write;
+
+       init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban")
+       init_use_script_ptys(fail2ban_client_t)
 ')
 
 

Reply via email to