Comment 25 for bug 372304

Revision history for this message
In , Arthur (arthur-redhat-bugs) wrote :

Thank you Axel,

OK - I am a pretty happy camper at this stage. There is one thing I find a little strange however.

I had a few selinux avcs with the previous version of F2B for which I created a local policy module. Having allowed yum to update F2B this morning I got a slew of new selinux avcs.

The original policy module looked like this:

require {
 type iptables_t;
 type system_mail_t;
 type fail2ban_t;
 class unix_stream_socket { read write };
}

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_stream_socket { read write };

#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_stream_socket { read write };

Using audit2allow these are the additional policies I needed to add after this morning's update:

require {
 type system_mail_t;
 type fail2ban_t;
 type usr_t;
 type syslogd_t;
 type iptables_t;
 class unix_dgram_socket { read write sendto };
 class file read;
}

#============= fail2ban_t ==============
allow fail2ban_t self:unix_dgram_socket write;
allow fail2ban_t syslogd_t:unix_dgram_socket sendto;

#============= iptables_t ==============
allow iptables_t fail2ban_t:unix_dgram_socket { read write };

#============= system_mail_t ==============
allow system_mail_t fail2ban_t:unix_dgram_socket { read write };
allow system_mail_t usr_t:file read;

Combining the two gives me a monster policy that makes me wonder whether I am doing the right thing in allowing all these things.

Why should the new release need so many additional rules?

Thanks for all you work on this....

Mark