OK - I am a pretty happy camper at this stage. There is one thing I find a little strange however.
I had a few selinux avcs with the previous version of F2B for which I created a local policy module. Having allowed yum to update F2B this morning I got a slew of new selinux avcs.
The original policy module looked like this:
require {
type iptables_t;
type system_mail_t;
type fail2ban_t;
class unix_stream_socket { read write };
}
Using audit2allow these are the additional policies I needed to add after this morning's update:
require {
type system_mail_t;
type fail2ban_t;
type usr_t;
type syslogd_t;
type iptables_t;
class unix_dgram_socket { read write sendto };
class file read;
}
Thank you Axel,
OK - I am a pretty happy camper at this stage. There is one thing I find a little strange however.
I had a few selinux avcs with the previous version of F2B for which I created a local policy module. Having allowed yum to update F2B this morning I got a slew of new selinux avcs.
The original policy module looked like this:
require {
type iptables_t;
type system_mail_t;
type fail2ban_t;
class unix_stream_socket { read write };
}
#============= iptables_t ============== t:unix_ stream_ socket { read write };
allow iptables_t fail2ban_
#============= system_mail_t ============== t:unix_ stream_ socket { read write };
allow system_mail_t fail2ban_
Using audit2allow these are the additional policies I needed to add after this morning's update:
require {
type system_mail_t;
type fail2ban_t;
type usr_t;
type syslogd_t;
type iptables_t;
class unix_dgram_socket { read write sendto };
class file read;
}
#============= fail2ban_t ============== dgram_socket write; t:unix_ dgram_socket sendto;
allow fail2ban_t self:unix_
allow fail2ban_t syslogd_
#============= iptables_t ============== t:unix_ dgram_socket { read write };
allow iptables_t fail2ban_
#============= system_mail_t ============== t:unix_ dgram_socket { read write };
allow system_mail_t fail2ban_
allow system_mail_t usr_t:file read;
Combining the two gives me a monster policy that makes me wonder whether I am doing the right thing in allowing all these things.
Why should the new release need so many additional rules?
Thanks for all you work on this....
Mark