firewalld to use legacy iptables. Fixes RHBZ#1823746. Remove conditionals for EL versions less than 7.i9ce
Richard Shaw
5 years ago
commit
29cab6763a
@ -0,0 +1,152 @@
|
||||
From 3965d690b137152b2a0a6a46989178b5566cfd8e Mon Sep 17 00:00:00 2001
|
||||
From: Angelo Compagnucci <angelo@amarulasolutions.com>
|
||||
Date: Thu, 16 Jan 2020 12:05:13 +0100
|
||||
Subject: [PATCH 1/2] Revert "setup.py: adding option to install without tests"
|
||||
|
||||
Test should actually removed from the stup data in finalize_options
|
||||
instead of being added back.
|
||||
|
||||
This reverts commit 9b918bba2f672780fb4469294d80ba7deb6b8cab.
|
||||
|
||||
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
|
||||
---
|
||||
setup.py | 41 ++++++++++++++++-------------------------
|
||||
1 file changed, 16 insertions(+), 25 deletions(-)
|
||||
|
||||
diff --git a/setup.py b/setup.py
|
||||
index e476c5dd6..8da292683 100755
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -119,11 +119,9 @@ def update_scripts(self, dry_run=False):
|
||||
class install_command_f2b(install):
|
||||
user_options = install.user_options + [
|
||||
('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
|
||||
- ('without-tests', None, 'without tests files installation'),
|
||||
]
|
||||
def initialize_options(self):
|
||||
self.disable_2to3 = None
|
||||
- self.without_tests = None
|
||||
install.initialize_options(self)
|
||||
def finalize_options(self):
|
||||
global _2to3
|
||||
@@ -134,28 +132,6 @@ def finalize_options(self):
|
||||
cmdclass = self.distribution.cmdclass
|
||||
cmdclass['build_py'] = build_py_2to3
|
||||
cmdclass['build_scripts'] = build_scripts_2to3
|
||||
- if not self.without_tests:
|
||||
- self.distribution.scripts += [
|
||||
- 'bin/fail2ban-testcases',
|
||||
- ]
|
||||
-
|
||||
- self.distribution.packages += [
|
||||
- 'fail2ban.tests',
|
||||
- 'fail2ban.tests.action_d',
|
||||
- ]
|
||||
-
|
||||
- self.distribution.package_data = {
|
||||
- 'fail2ban.tests':
|
||||
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
- for w in os.walk('fail2ban/tests/files')
|
||||
- for f in w[2]] +
|
||||
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
- for w in os.walk('fail2ban/tests/config')
|
||||
- for f in w[2]] +
|
||||
- [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
- for w in os.walk('fail2ban/tests/action_d')
|
||||
- for f in w[2]]
|
||||
- }
|
||||
install.finalize_options(self)
|
||||
def run(self):
|
||||
install.run(self)
|
||||
@@ -232,20 +208,35 @@ def run(self):
|
||||
license = "GPL",
|
||||
platforms = "Posix",
|
||||
cmdclass = {
|
||||
- 'build_py': build_py, 'build_scripts': build_scripts,
|
||||
+ 'build_py': build_py, 'build_scripts': build_scripts,
|
||||
'install_scripts': install_scripts_f2b, 'install': install_command_f2b
|
||||
},
|
||||
scripts = [
|
||||
'bin/fail2ban-client',
|
||||
'bin/fail2ban-server',
|
||||
'bin/fail2ban-regex',
|
||||
+ 'bin/fail2ban-testcases',
|
||||
# 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
|
||||
],
|
||||
packages = [
|
||||
'fail2ban',
|
||||
'fail2ban.client',
|
||||
'fail2ban.server',
|
||||
+ 'fail2ban.tests',
|
||||
+ 'fail2ban.tests.action_d',
|
||||
],
|
||||
+ package_data = {
|
||||
+ 'fail2ban.tests':
|
||||
+ [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
+ for w in os.walk('fail2ban/tests/files')
|
||||
+ for f in w[2]] +
|
||||
+ [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
+ for w in os.walk('fail2ban/tests/config')
|
||||
+ for f in w[2]] +
|
||||
+ [ join(w[0], f).replace("fail2ban/tests/", "", 1)
|
||||
+ for w in os.walk('fail2ban/tests/action_d')
|
||||
+ for f in w[2]]
|
||||
+ },
|
||||
data_files = [
|
||||
('/etc/fail2ban',
|
||||
glob("config/*.conf")
|
||||
|
||||
From 5fa1f69264d3c23793f64c03c96737d54555e919 Mon Sep 17 00:00:00 2001
|
||||
From: Angelo Compagnucci <angelo@amarulasolutions.com>
|
||||
Date: Thu, 16 Jan 2020 12:28:42 +0100
|
||||
Subject: [PATCH 2/2] setup.py: adding option to install without tests
|
||||
|
||||
Tests files are not always needed especially when installing on low
|
||||
resource systems like an embedded one.
|
||||
This patch adds the --without-tests option to skip installing the
|
||||
tests files.
|
||||
|
||||
Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
|
||||
---
|
||||
setup.py | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/setup.py b/setup.py
|
||||
index 8da292683..ce1eedf68 100755
|
||||
--- a/setup.py
|
||||
+++ b/setup.py
|
||||
@@ -119,9 +119,11 @@ def update_scripts(self, dry_run=False):
|
||||
class install_command_f2b(install):
|
||||
user_options = install.user_options + [
|
||||
('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
|
||||
+ ('without-tests', None, 'without tests files installation'),
|
||||
]
|
||||
def initialize_options(self):
|
||||
self.disable_2to3 = None
|
||||
+ self.without_tests = None
|
||||
install.initialize_options(self)
|
||||
def finalize_options(self):
|
||||
global _2to3
|
||||
@@ -132,6 +134,13 @@ def finalize_options(self):
|
||||
cmdclass = self.distribution.cmdclass
|
||||
cmdclass['build_py'] = build_py_2to3
|
||||
cmdclass['build_scripts'] = build_scripts_2to3
|
||||
+ if self.without_tests:
|
||||
+ self.distribution.scripts.remove('bin/fail2ban-testcases')
|
||||
+
|
||||
+ self.distribution.packages.remove('fail2ban.tests')
|
||||
+ self.distribution.packages.remove('fail2ban.tests.action_d')
|
||||
+
|
||||
+ del self.distribution.package_data['fail2ban.tests']
|
||||
install.finalize_options(self)
|
||||
def run(self):
|
||||
install.run(self)
|
||||
@@ -208,7 +217,7 @@ def run(self):
|
||||
license = "GPL",
|
||||
platforms = "Posix",
|
||||
cmdclass = {
|
||||
- 'build_py': build_py, 'build_scripts': build_scripts,
|
||||
+ 'build_py': build_py, 'build_scripts': build_scripts,
|
||||
'install_scripts': install_scripts_f2b, 'install': install_command_f2b
|
||||
},
|
||||
scripts = [
|
||||
@ -0,0 +1,65 @@
|
||||
From 781a25512b107828aff71998c19f2fa4dbf471c1 Mon Sep 17 00:00:00 2001
|
||||
From: "Sergey G. Brester" <serg.brester@sebres.de>
|
||||
Date: Fri, 6 Mar 2020 19:04:39 +0100
|
||||
Subject: [PATCH 1/4] travis CI: add 3.9-dev as target
|
||||
|
||||
---
|
||||
.travis.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
--- a/fail2ban/server/jailthread.py
|
||||
+++ b/fail2ban/server/jailthread.py
|
||||
@@ -120,3 +120,6 @@ class JailThread(Thread):
|
||||
## python 2.x replace binding of private __bootstrap method:
|
||||
if sys.version_info < (3,): # pragma: 3.x no cover
|
||||
JailThread._Thread__bootstrap = JailThread._JailThread__bootstrap
|
||||
+## python 3.9, restore isAlive method:
|
||||
+elif not hasattr(JailThread, 'isAlive'): # pragma: 2.x no cover
|
||||
+ JailThread.isAlive = JailThread.is_alive
|
||||
--- a/fail2ban/tests/sockettestcase.py
|
||||
+++ b/fail2ban/tests/sockettestcase.py
|
||||
@@ -87,7 +87,7 @@ class Socket(LogCaptureTestCase):
|
||||
def _stopServerThread(self):
|
||||
serverThread = self.serverThread
|
||||
# wait for end of thread :
|
||||
- Utils.wait_for(lambda: not serverThread.isAlive()
|
||||
+ Utils.wait_for(lambda: not serverThread.is_alive()
|
||||
or serverThread.join(Utils.DEFAULT_SLEEP_TIME), unittest.F2B.maxWaitTime(10))
|
||||
self.serverThread = None
|
||||
|
||||
@@ -98,7 +98,7 @@ class Socket(LogCaptureTestCase):
|
||||
self.server.close()
|
||||
# wait for end of thread :
|
||||
self._stopServerThread()
|
||||
- self.assertFalse(serverThread.isAlive())
|
||||
+ self.assertFalse(serverThread.is_alive())
|
||||
# clean :
|
||||
self.server.stop()
|
||||
self.assertFalse(self.server.isActive())
|
||||
@@ -139,7 +139,7 @@ class Socket(LogCaptureTestCase):
|
||||
self.server.stop()
|
||||
# wait for end of thread :
|
||||
self._stopServerThread()
|
||||
- self.assertFalse(serverThread.isAlive())
|
||||
+ self.assertFalse(serverThread.is_alive())
|
||||
self.assertFalse(self.server.isActive())
|
||||
self.assertFalse(os.path.exists(self.sock_name))
|
||||
|
||||
@@ -180,7 +180,7 @@ class Socket(LogCaptureTestCase):
|
||||
self.server.stop()
|
||||
# wait for end of thread :
|
||||
self._stopServerThread()
|
||||
- self.assertFalse(serverThread.isAlive())
|
||||
+ self.assertFalse(serverThread.is_alive())
|
||||
|
||||
def testLoopErrors(self):
|
||||
# replace poll handler to produce error in loop-cycle:
|
||||
@@ -216,7 +216,7 @@ class Socket(LogCaptureTestCase):
|
||||
self.server.stop()
|
||||
# wait for end of thread :
|
||||
self._stopServerThread()
|
||||
- self.assertFalse(serverThread.isAlive())
|
||||
+ self.assertFalse(serverThread.is_alive())
|
||||
self.assertFalse(self.server.isActive())
|
||||
self.assertFalse(os.path.exists(self.sock_name))
|
||||
|
||||
@ -0,0 +1,54 @@
|
||||
From 343ec1cdd296530f331637c725bd2bb0549e01e6 Mon Sep 17 00:00:00 2001
|
||||
From: sebres <serg.brester@sebres.de>
|
||||
Date: Wed, 18 Mar 2020 20:37:25 +0100
|
||||
Subject: [PATCH] test-causes: avoid host-depending issue (mistakenly ignoring
|
||||
IP 127.0.0.2 as own address) - replace loop-back addr with test sub-net addr
|
||||
(and disable ignoreself)
|
||||
|
||||
---
|
||||
fail2ban/tests/observertestcase.py | 7 ++++---
|
||||
1 file changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py
|
||||
index 8e9444548..e379ccd18 100644
|
||||
--- a/fail2ban/tests/observertestcase.py
|
||||
+++ b/fail2ban/tests/observertestcase.py
|
||||
@@ -36,7 +36,6 @@
|
||||
from ..server.observer import Observers, ObserverThread
|
||||
from ..server.utils import Utils
|
||||
from .utils import LogCaptureTestCase
|
||||
-from ..server.filter import Filter
|
||||
from .dummyjail import DummyJail
|
||||
|
||||
from .databasetestcase import getFail2BanDb, Fail2BanDb
|
||||
@@ -224,7 +223,7 @@ def testBanTimeIncr(self):
|
||||
jail.actions.setBanTime(10)
|
||||
jail.setBanTimeExtra('increment', 'true')
|
||||
jail.setBanTimeExtra('multipliers', '1 2 4 8 16 32 64 128 256 512 1024 2048')
|
||||
- ip = "127.0.0.2"
|
||||
+ ip = "192.0.2.1"
|
||||
# used as start and fromtime (like now but time independence, cause test case can run slow):
|
||||
stime = int(MyTime.time())
|
||||
ticket = FailTicket(ip, stime, [])
|
||||
@@ -385,10 +384,12 @@ def testBanTimeIncr(self):
|
||||
|
||||
# two separate jails :
|
||||
jail1 = DummyJail(backend='polling')
|
||||
+ jail1.filter.ignoreSelf = False
|
||||
jail1.setBanTimeExtra('increment', 'true')
|
||||
jail1.database = self.db
|
||||
self.db.addJail(jail1)
|
||||
jail2 = DummyJail(name='DummyJail-2', backend='polling')
|
||||
+ jail2.filter.ignoreSelf = False
|
||||
jail2.database = self.db
|
||||
self.db.addJail(jail2)
|
||||
ticket1 = FailTicket(ip, stime, [])
|
||||
@@ -477,7 +478,7 @@ def testObserver(self):
|
||||
self.assertEqual(tickets, [])
|
||||
|
||||
# add failure:
|
||||
- ip = "127.0.0.2"
|
||||
+ ip = "192.0.2.1"
|
||||
ticket = FailTicket(ip, stime-120, [])
|
||||
failManager = FailManager()
|
||||
failManager.setMaxRetry(3)
|
||||
@ -0,0 +1,213 @@
|
||||
From 8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594 Mon Sep 17 00:00:00 2001
|
||||
From: sebres <serg.brester@sebres.de>
|
||||
Date: Wed, 15 Jan 2020 19:22:53 +0100
|
||||
Subject: [PATCH] closes #2596: fixed supplying of backend-related `logtype` to
|
||||
the jail filter - don't merge it (provide as init parameter if not set in
|
||||
definition section), init parameters don't affect config-cache (better
|
||||
implementation as in #2387 and it covered now with new test)
|
||||
|
||||
---
|
||||
MANIFEST | 2 ++
|
||||
fail2ban/client/configreader.py | 8 +++--
|
||||
fail2ban/client/fail2banregex.py | 7 ++---
|
||||
fail2ban/client/filterreader.py | 8 +++++
|
||||
fail2ban/client/jailreader.py | 7 ++---
|
||||
fail2ban/tests/clientreadertestcase.py | 17 +++++++++-
|
||||
.../tests/config/filter.d/checklogtype.conf | 31 +++++++++++++++++++
|
||||
.../config/filter.d/checklogtype_test.conf | 12 +++++++
|
||||
fail2ban/tests/config/jail.conf | 25 +++++++++++++++
|
||||
9 files changed, 104 insertions(+), 13 deletions(-)
|
||||
create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf
|
||||
create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf
|
||||
|
||||
--- a/MANIFEST
|
||||
+++ b/MANIFEST
|
||||
@@ -227,6 +227,8 @@ fail2ban/tests/clientreadertestcase.py
|
||||
fail2ban/tests/config/action.d/action.conf
|
||||
fail2ban/tests/config/action.d/brokenaction.conf
|
||||
fail2ban/tests/config/fail2ban.conf
|
||||
+fail2ban/tests/config/filter.d/checklogtype.conf
|
||||
+fail2ban/tests/config/filter.d/checklogtype_test.conf
|
||||
fail2ban/tests/config/filter.d/simple.conf
|
||||
fail2ban/tests/config/filter.d/test.conf
|
||||
fail2ban/tests/config/filter.d/test.local
|
||||
--- a/fail2ban/client/configreader.py
|
||||
+++ b/fail2ban/client/configreader.py
|
||||
@@ -120,6 +120,10 @@ class ConfigReader():
|
||||
except AttributeError:
|
||||
return False
|
||||
|
||||
+ def has_option(self, sec, opt, withDefault=True):
|
||||
+ return self._cfg.has_option(sec, opt) if withDefault \
|
||||
+ else opt in self._cfg._sections.get(sec, {})
|
||||
+
|
||||
def merge_defaults(self, d):
|
||||
self._cfg.get_defaults().update(d)
|
||||
|
||||
@@ -261,8 +265,8 @@ class ConfigReaderUnshared(SafeConfigPar
|
||||
logSys.warning("'%s' not defined in '%s'. Using default one: %r"
|
||||
% (optname, sec, optvalue))
|
||||
values[optname] = optvalue
|
||||
- elif logSys.getEffectiveLevel() <= logLevel:
|
||||
- logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec)
|
||||
+ # elif logSys.getEffectiveLevel() <= logLevel:
|
||||
+ # logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec)
|
||||
except ValueError:
|
||||
logSys.warning("Wrong value for '" + optname + "' in '" + sec +
|
||||
"'. Using default one: '" + repr(optvalue) + "'")
|
||||
--- a/fail2ban/client/fail2banregex.py
|
||||
+++ b/fail2ban/client/fail2banregex.py
|
||||
@@ -372,11 +372,8 @@ class Fail2banRegex(object):
|
||||
if not ret:
|
||||
output( "ERROR: failed to load filter %s" % value )
|
||||
return False
|
||||
- # overwrite default logtype (considering that the filter could specify this too in Definition/Init sections):
|
||||
- if not fltOpt.get('logtype'):
|
||||
- reader.merge_defaults({
|
||||
- 'logtype': ['file','journal'][int(self._backend.startswith("systemd"))]
|
||||
- })
|
||||
+ # set backend-related options (logtype):
|
||||
+ reader.applyAutoOptions(self._backend)
|
||||
# get, interpolate and convert options:
|
||||
reader.getOptions(None)
|
||||
# show real options if expected:
|
||||
--- a/fail2ban/client/filterreader.py
|
||||
+++ b/fail2ban/client/filterreader.py
|
||||
@@ -53,6 +53,14 @@ class FilterReader(DefinitionInitConfigR
|
||||
def getFile(self):
|
||||
return self.__file
|
||||
|
||||
+ def applyAutoOptions(self, backend):
|
||||
+ # set init option to backend-related logtype, considering
|
||||
+ # that the filter settings may be overwritten in its local:
|
||||
+ if (not self._initOpts.get('logtype') and
|
||||
+ not self.has_option('Definition', 'logtype', False)
|
||||
+ ):
|
||||
+ self._initOpts['logtype'] = ['file','journal'][int(backend.startswith("systemd"))]
|
||||
+
|
||||
def convert(self):
|
||||
stream = list()
|
||||
opts = self.getCombined()
|
||||
--- a/fail2ban/client/jailreader.py
|
||||
+++ b/fail2ban/client/jailreader.py
|
||||
@@ -149,11 +149,8 @@ class JailReader(ConfigReader):
|
||||
ret = self.__filter.read()
|
||||
if not ret:
|
||||
raise JailDefError("Unable to read the filter %r" % filterName)
|
||||
- if not filterOpt.get('logtype'):
|
||||
- # overwrite default logtype backend-related (considering that the filter settings may be overwritten):
|
||||
- self.__filter.merge_defaults({
|
||||
- 'logtype': ['file','journal'][int(self.__opts.get('backend', '').startswith("systemd"))]
|
||||
- })
|
||||
+ # set backend-related options (logtype):
|
||||
+ self.__filter.applyAutoOptions(self.__opts.get('backend', ''))
|
||||
# merge options from filter as 'known/...' (all options unfiltered):
|
||||
self.__filter.getOptions(self.__opts, all=True)
|
||||
ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/')
|
||||
--- a/fail2ban/tests/clientreadertestcase.py
|
||||
+++ b/fail2ban/tests/clientreadertestcase.py
|
||||
@@ -328,7 +328,22 @@ class JailReaderTest(LogCaptureTestCase)
|
||||
self.assertFalse(len(o) > 2 and o[2].endswith('regex'))
|
||||
i += 1
|
||||
if i > usednsidx: break
|
||||
-
|
||||
+
|
||||
+ def testLogTypeOfBackendInJail(self):
|
||||
+ unittest.F2B.SkipIfCfgMissing(stock=True); # expected include of common.conf
|
||||
+ # test twice to check cache works peoperly:
|
||||
+ for i in (1, 2):
|
||||
+ # backend-related, overwritten in definition, specified in init parameters:
|
||||
+ for prefline in ('JRNL', 'FILE', 'TEST', 'INIT'):
|
||||
+ jail = JailReader('checklogtype_'+prefline.lower(), basedir=IMPERFECT_CONFIG,
|
||||
+ share_config=IMPERFECT_CONFIG_SHARE_CFG, force_enable=True)
|
||||
+ self.assertTrue(jail.read())
|
||||
+ self.assertTrue(jail.getOptions())
|
||||
+ stream = jail.convert()
|
||||
+ # 'JRNL' for systemd, 'FILE' for file backend, 'TEST' for custom logtype (overwrite it):
|
||||
+ self.assertEqual([['set', jail.getName(), 'addfailregex', '^%s failure from <HOST>$' % prefline]],
|
||||
+ [o for o in stream if len(o) > 2 and o[2] == 'addfailregex'])
|
||||
+
|
||||
def testSplitOption(self):
|
||||
# Simple example
|
||||
option = "mail-whois[name=SSH]"
|
||||
--- /dev/null
|
||||
+++ b/fail2ban/tests/config/filter.d/checklogtype.conf
|
||||
@@ -0,0 +1,31 @@
|
||||
+# Fail2Ban configuration file
|
||||
+#
|
||||
+
|
||||
+[INCLUDES]
|
||||
+
|
||||
+# Read common prefixes (logtype is set in default section)
|
||||
+before = ../../../../config/filter.d/common.conf
|
||||
+
|
||||
+[Definition]
|
||||
+
|
||||
+_daemon = test
|
||||
+
|
||||
+failregex = ^<lt_<logtype>/__prefix_line> failure from <HOST>$
|
||||
+ignoreregex =
|
||||
+
|
||||
+# following sections define prefix line considering logtype:
|
||||
+
|
||||
+# backend-related (retrieved from backend, overwrite default):
|
||||
+[lt_file]
|
||||
+__prefix_line = FILE
|
||||
+
|
||||
+[lt_journal]
|
||||
+__prefix_line = JRNL
|
||||
+
|
||||
+# specified in definition section of filter (see filter checklogtype_test.conf):
|
||||
+[lt_test]
|
||||
+__prefix_line = TEST
|
||||
+
|
||||
+# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init):
|
||||
+[lt_init]
|
||||
+__prefix_line = INIT
|
||||
--- /dev/null
|
||||
+++ b/fail2ban/tests/config/filter.d/checklogtype_test.conf
|
||||
@@ -0,0 +1,12 @@
|
||||
+# Fail2Ban configuration file
|
||||
+#
|
||||
+
|
||||
+[INCLUDES]
|
||||
+
|
||||
+# Read common prefixes (logtype is set in default section)
|
||||
+before = checklogtype.conf
|
||||
+
|
||||
+[Definition]
|
||||
+
|
||||
+# overwrite logtype in definition (no backend anymore):
|
||||
+logtype = test
|
||||
\ No newline at end of file
|
||||
--- a/fail2ban/tests/config/jail.conf
|
||||
+++ b/fail2ban/tests/config/jail.conf
|
||||
@@ -74,3 +74,28 @@ journalmatch = _COMM=test
|
||||
maxlines = 2
|
||||
usedns = no
|
||||
enabled = false
|
||||
+
|
||||
+[checklogtype_jrnl]
|
||||
+filter = checklogtype
|
||||
+backend = systemd
|
||||
+action = action
|
||||
+enabled = false
|
||||
+
|
||||
+[checklogtype_file]
|
||||
+filter = checklogtype
|
||||
+backend = polling
|
||||
+logpath = README.md
|
||||
+action = action
|
||||
+enabled = false
|
||||
+
|
||||
+[checklogtype_test]
|
||||
+filter = checklogtype_test
|
||||
+backend = systemd
|
||||
+action = action
|
||||
+enabled = false
|
||||
+
|
||||
+[checklogtype_init]
|
||||
+filter = checklogtype_test[logtype=init]
|
||||
+backend = systemd
|
||||
+action = action
|
||||
+enabled = false
|
||||
@ -0,0 +1,26 @@
|
||||
TARGET?=fail2ban
|
||||
MODULES?=${TARGET:=.pp.bz2}
|
||||
SHAREDIR?=/usr/share
|
||||
|
||||
all: ${TARGET:=.pp.bz2}
|
||||
|
||||
%.pp.bz2: %.pp
|
||||
@echo Compressing $^ -\> $@
|
||||
bzip2 -9 $^
|
||||
|
||||
%.pp: %.te
|
||||
make -f ${SHAREDIR}/selinux/devel/Makefile $@
|
||||
|
||||
clean:
|
||||
rm -f *~ *.tc *.pp *.pp.bz2
|
||||
rm -rf tmp *.tar.gz
|
||||
|
||||
man: install-policy
|
||||
sepolicy manpage --path . --domain ${TARGET}_t
|
||||
|
||||
install-policy: all
|
||||
semodule -i ${TARGET}.pp.bz2
|
||||
|
||||
install: man
|
||||
install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
|
||||
install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/
|
||||
@ -0,0 +1,9 @@
|
||||
/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
|
||||
/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
|
||||
|
||||
/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
|
||||
/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0)
|
||||
/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0)
|
||||
@ -0,0 +1,313 @@
|
||||
## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute a domain transition to run fail2ban.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_domtrans',`
|
||||
gen_require(`
|
||||
type fail2ban_t, fail2ban_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute the fail2ban client in
|
||||
## the fail2ban client domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_domtrans_client',`
|
||||
gen_require(`
|
||||
type fail2ban_client_t, fail2ban_client_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Execute fail2ban client in the
|
||||
## fail2ban client domain, and allow
|
||||
## the specified role the fail2ban
|
||||
## client domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed to transition.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_run_client',`
|
||||
gen_require(`
|
||||
attribute_role fail2ban_client_roles;
|
||||
')
|
||||
|
||||
fail2ban_domtrans_client($1)
|
||||
roleattribute $2 fail2ban_client_roles;
|
||||
')
|
||||
|
||||
#####################################
|
||||
## <summary>
|
||||
## Connect to fail2ban over a unix domain
|
||||
## stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_stream_connect',`
|
||||
gen_require(`
|
||||
type fail2ban_t, fail2ban_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write inherited temporary files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_rw_inherited_tmp_files',`
|
||||
gen_require(`
|
||||
type fail2ban_tmp_t;
|
||||
')
|
||||
|
||||
files_search_tmp($1)
|
||||
allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write to an fail2ba unix stream socket.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type fail2ban_t;
|
||||
')
|
||||
|
||||
allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to use
|
||||
## fail2ban file descriptors.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_dontaudit_use_fds',`
|
||||
gen_require(`
|
||||
type fail2ban_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fail2ban_t:fd use;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Do not audit attempts to read and
|
||||
## write fail2ban unix stream sockets
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_dontaudit_rw_stream_sockets',`
|
||||
gen_require(`
|
||||
type fail2ban_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read fail2ban lib files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_read_lib_files',`
|
||||
gen_require(`
|
||||
type fail2ban_var_lib_t;
|
||||
')
|
||||
|
||||
files_search_var_lib($1)
|
||||
read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to read fail2ban's log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fail2ban_read_log',`
|
||||
gen_require(`
|
||||
type fail2ban_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 fail2ban_log_t:dir list_dir_perms;
|
||||
allow $1 fail2ban_log_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to append
|
||||
## fail2ban log files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_append_log',`
|
||||
gen_require(`
|
||||
type fail2ban_log_t;
|
||||
')
|
||||
|
||||
logging_search_logs($1)
|
||||
allow $1 fail2ban_log_t:dir list_dir_perms;
|
||||
allow $1 fail2ban_log_t:file append_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read fail2ban PID files.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_read_pid_files',`
|
||||
gen_require(`
|
||||
type fail2ban_var_run_t;
|
||||
')
|
||||
|
||||
files_search_pids($1)
|
||||
allow $1 fail2ban_var_run_t:file read_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## dontaudit read and write an leaked file descriptors
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`fail2ban_dontaudit_leaks',`
|
||||
gen_require(`
|
||||
type fail2ban_t;
|
||||
')
|
||||
|
||||
dontaudit $1 fail2ban_t:tcp_socket { read write };
|
||||
dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
|
||||
dontaudit $1 fail2ban_t:unix_stream_socket { read write };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
## an fail2ban environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the fail2ban domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`fail2ban_admin',`
|
||||
gen_require(`
|
||||
type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
|
||||
type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
|
||||
type fail2ban_client_t;
|
||||
')
|
||||
|
||||
allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
|
||||
ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
|
||||
|
||||
tunable_policy(`deny_ptrace',`',`
|
||||
allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
|
||||
')
|
||||
|
||||
init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 fail2ban_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
logging_list_logs($1)
|
||||
admin_pattern($1, fail2ban_log_t)
|
||||
|
||||
files_list_pids($1)
|
||||
admin_pattern($1, fail2ban_var_run_t)
|
||||
|
||||
files_list_var_lib($1)
|
||||
admin_pattern($1, fail2ban_var_lib_t)
|
||||
|
||||
files_list_tmp($1)
|
||||
admin_pattern($1, fail2ban_tmp_t)
|
||||
|
||||
fail2ban_run_client($1, $2)
|
||||
')
|
||||
@ -0,0 +1,191 @@
|
||||
policy_module(fail2ban, 1.5.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
attribute_role fail2ban_client_roles;
|
||||
|
||||
type fail2ban_t;
|
||||
type fail2ban_exec_t;
|
||||
init_daemon_domain(fail2ban_t, fail2ban_exec_t)
|
||||
|
||||
type fail2ban_initrc_exec_t;
|
||||
init_script_file(fail2ban_initrc_exec_t)
|
||||
|
||||
type fail2ban_log_t;
|
||||
logging_log_file(fail2ban_log_t)
|
||||
|
||||
type fail2ban_var_lib_t;
|
||||
files_type(fail2ban_var_lib_t)
|
||||
|
||||
type fail2ban_var_run_t;
|
||||
files_pid_file(fail2ban_var_run_t)
|
||||
|
||||
type fail2ban_tmp_t;
|
||||
files_tmp_file(fail2ban_tmp_t)
|
||||
|
||||
type fail2ban_client_t;
|
||||
type fail2ban_client_exec_t;
|
||||
init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
|
||||
role fail2ban_client_roles types fail2ban_client_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# Server Local policy
|
||||
#
|
||||
|
||||
allow fail2ban_t self:capability { dac_read_search sys_tty_config };
|
||||
allow fail2ban_t self:process { getpgid setsched signal };
|
||||
allow fail2ban_t self:fifo_file rw_fifo_file_perms;
|
||||
allow fail2ban_t self:unix_stream_socket { accept connectto listen };
|
||||
allow fail2ban_t self:tcp_socket { accept listen };
|
||||
allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
|
||||
|
||||
read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
|
||||
|
||||
append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
|
||||
logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
|
||||
|
||||
manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
||||
manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
||||
exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
|
||||
files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
|
||||
|
||||
manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
||||
manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
|
||||
|
||||
manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
|
||||
files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
|
||||
|
||||
kernel_read_system_state(fail2ban_t)
|
||||
kernel_read_network_state(fail2ban_t)
|
||||
kernel_read_net_sysctls(fail2ban_t)
|
||||
|
||||
corecmd_exec_bin(fail2ban_t)
|
||||
corecmd_exec_shell(fail2ban_t)
|
||||
|
||||
corenet_all_recvfrom_netlabel(fail2ban_t)
|
||||
corenet_tcp_sendrecv_generic_if(fail2ban_t)
|
||||
corenet_tcp_sendrecv_generic_node(fail2ban_t)
|
||||
|
||||
corenet_sendrecv_whois_client_packets(fail2ban_t)
|
||||
corenet_tcp_connect_whois_port(fail2ban_t)
|
||||
corenet_tcp_sendrecv_whois_port(fail2ban_t)
|
||||
|
||||
dev_read_urand(fail2ban_t)
|
||||
dev_read_sysfs(fail2ban_t)
|
||||
|
||||
domain_use_interactive_fds(fail2ban_t)
|
||||
domain_dontaudit_read_all_domains_state(fail2ban_t)
|
||||
|
||||
files_read_etc_runtime_files(fail2ban_t)
|
||||
files_list_var(fail2ban_t)
|
||||
files_dontaudit_list_tmp(fail2ban_t)
|
||||
|
||||
fs_list_inotifyfs(fail2ban_t)
|
||||
fs_getattr_all_fs(fail2ban_t)
|
||||
|
||||
auth_use_nsswitch(fail2ban_t)
|
||||
|
||||
logging_read_all_logs(fail2ban_t)
|
||||
logging_read_audit_log(fail2ban_t)
|
||||
logging_send_syslog_msg(fail2ban_t)
|
||||
logging_read_syslog_pid(fail2ban_t)
|
||||
logging_dontaudit_search_audit_logs(fail2ban_t)
|
||||
logging_mmap_generic_logs(fail2ban_t)
|
||||
logging_mmap_journal(fail2ban_t)
|
||||
|
||||
mta_send_mail(fail2ban_t)
|
||||
|
||||
sysnet_manage_config(fail2ban_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_read_log(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dbus_system_bus_client(fail2ban_t)
|
||||
dbus_connect_system_bus(fail2ban_t)
|
||||
|
||||
optional_policy(`
|
||||
firewalld_dbus_chat(fail2ban_t)
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ftp_read_log(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
gnome_dontaudit_search_config(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
iptables_domtrans(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
allow fail2ban_t self:capability sys_resource;
|
||||
allow fail2ban_t self:process setrlimit;
|
||||
journalctl_exec(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
libs_exec_ldconfig(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
rpm_exec(fail2ban_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
shorewall_domtrans(fail2ban_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Client Local policy
|
||||
#
|
||||
|
||||
allow fail2ban_client_t self:capability { dac_read_search };
|
||||
allow fail2ban_client_t self:unix_stream_socket { create connect write read };
|
||||
|
||||
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
|
||||
|
||||
allow fail2ban_client_t fail2ban_t:process { rlimitinh };
|
||||
|
||||
dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
|
||||
allow fail2ban_client_t fail2ban_var_run_t:dir write;
|
||||
stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
|
||||
|
||||
kernel_read_system_state(fail2ban_client_t)
|
||||
|
||||
corecmd_exec_bin(fail2ban_client_t)
|
||||
|
||||
dev_read_urand(fail2ban_client_t)
|
||||
dev_read_rand(fail2ban_client_t)
|
||||
|
||||
domain_use_interactive_fds(fail2ban_client_t)
|
||||
|
||||
files_search_pids(fail2ban_client_t)
|
||||
|
||||
auth_use_nsswitch(fail2ban_client_t)
|
||||
|
||||
libs_exec_ldconfig(fail2ban_client_t)
|
||||
|
||||
logging_getattr_all_logs(fail2ban_client_t)
|
||||
logging_search_all_logs(fail2ban_client_t)
|
||||
logging_read_audit_log(fail2ban_client_t)
|
||||
|
||||
userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
|
||||
userdom_use_user_terminals(fail2ban_client_t)
|
||||
|
||||
optional_policy(`
|
||||
apache_read_log(fail2ban_client_t)
|
||||
')
|
||||
@ -1 +1 @@
|
||||
SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6
|
||||
SHA512 (fail2ban-0.11.1.tar.gz) = 019b088aa6375f98742ed101ef6f65adabca3324444d71d5b8597a8d1d22fa76b9f503660f0498643fe24a3b8e4368de916072a1ab77b8e2ea3eda41c3e0c8c6
|
||||
|
||||
Loading…
Reference in new issue