commit: 282c67cd689d85ddd0f9f0496a2411b67bb50527
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Jun 9 13:26:55 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Jun 9 13:34:30 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=282c67cd
Fail2ban smoketest fixes
This partially fixes some of the reported issues in bug #534256. More
specifically, fail2ban fails to start because
- fail2ban-client is invoked from the service and checks if it has write
privileges on /run/fail2ban (although it does not by itself use it
further).
- fail2ban init script creates /run/fail2ban so a file transition is
needed
- output should be captured when an init script is used, hence allow
fail2ban_client_t access to the initrc script ptys.
X-Gentoo-Bug: 534256
policy/modules/contrib/fail2ban.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/contrib/fail2ban.te
b/policy/modules/contrib/fail2ban.te
index 6b9fb7e..bc6bd8e 100644
--- a/policy/modules/contrib/fail2ban.te
+++ b/policy/modules/contrib/fail2ban.te
@@ -159,6 +159,12 @@ ifdef(`distro_gentoo',`
# Python compilation
files_dontaudit_write_usr_dirs(fail2ban_t)
+
+ # Fix bug 534256 - Startup fails without these
+ allow fail2ban_client_t fail2ban_var_run_t:dir write;
+
+ init_daemon_pid_file(fail2ban_var_run_t, dir, "fail2ban")
+ init_use_script_ptys(fail2ban_client_t)
')