From 55f6b78077e4856a8f360fbcc1b01b7d0a41f226 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Tue, 14 Jan 2020 22:04:44 -0700 Subject: [PATCH 1/9] Update to 0.11.1 --- .gitignore | 1 + fail2ban.spec | 5 ++++- sources | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 6535f8f..dce9971 100644 --- a/.gitignore +++ b/.gitignore @@ -19,3 +19,4 @@ fail2ban-0.8.4.tar.bz2 /fail2ban-0.10.3.1.tar.gz /fail2ban-0.10.4.tar.gz /fail2ban-0.10.5.tar.gz +/fail2ban-0.11.1.tar.gz diff --git a/fail2ban.spec b/fail2ban.spec index 8f3669b..1125bfa 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban -Version: 0.10.5 +Version: 0.11.1 Release: 1%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ @@ -303,6 +303,9 @@ fi %changelog +* Tue Jan 14 2020 Orion Poplawski - 0.11.1-1 +- Update to 0.11.1 + * Tue Jan 14 2020 Orion Poplawski - 0.10.5-1 - Update to 0.10.5 diff --git a/sources b/sources index 96975ca..585083b 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6 +SHA512 (fail2ban-0.11.1.tar.gz) = 019b088aa6375f98742ed101ef6f65adabca3324444d71d5b8597a8d1d22fa76b9f503660f0498643fe24a3b8e4368de916072a1ab77b8e2ea3eda41c3e0c8c6 From 54746313a81173b6d4883103601a6dedabcbdd9d Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Sat, 18 Jan 2020 11:52:02 -0700 Subject: [PATCH 2/9] Add upstream patches to fix testcase install and tests; Fix fail2ban-python symlink --- 2605.patch | 152 ++++++++++++ ...f30cdd855c41b80ebdde3fe2bc91cc94e594.patch | 233 ++++++++++++++++++ fail2ban.spec | 15 +- 3 files changed, 396 insertions(+), 4 deletions(-) create mode 100644 2605.patch create mode 100644 8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch diff --git a/2605.patch b/2605.patch new file mode 100644 index 0000000..05e5646 --- /dev/null +++ b/2605.patch @@ -0,0 +1,152 @@ +From 3965d690b137152b2a0a6a46989178b5566cfd8e Mon Sep 17 00:00:00 2001 +From: Angelo Compagnucci +Date: Thu, 16 Jan 2020 12:05:13 +0100 +Subject: [PATCH 1/2] Revert "setup.py: adding option to install without tests" + +Test should actually removed from the stup data in finalize_options +instead of being added back. + +This reverts commit 9b918bba2f672780fb4469294d80ba7deb6b8cab. + +Signed-off-by: Angelo Compagnucci +--- + setup.py | 41 ++++++++++++++++------------------------- + 1 file changed, 16 insertions(+), 25 deletions(-) + +diff --git a/setup.py b/setup.py +index e476c5dd6..8da292683 100755 +--- a/setup.py ++++ b/setup.py +@@ -119,11 +119,9 @@ def update_scripts(self, dry_run=False): + class install_command_f2b(install): + user_options = install.user_options + [ + ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), +- ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): + self.disable_2to3 = None +- self.without_tests = None + install.initialize_options(self) + def finalize_options(self): + global _2to3 +@@ -134,28 +132,6 @@ def finalize_options(self): + cmdclass = self.distribution.cmdclass + cmdclass['build_py'] = build_py_2to3 + cmdclass['build_scripts'] = build_scripts_2to3 +- if not self.without_tests: +- self.distribution.scripts += [ +- 'bin/fail2ban-testcases', +- ] +- +- self.distribution.packages += [ +- 'fail2ban.tests', +- 'fail2ban.tests.action_d', +- ] +- +- self.distribution.package_data = { +- 'fail2ban.tests': +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/files') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/config') +- for f in w[2]] + +- [ join(w[0], f).replace("fail2ban/tests/", "", 1) +- for w in os.walk('fail2ban/tests/action_d') +- for f in w[2]] +- } + install.finalize_options(self) + def run(self): + install.run(self) +@@ -232,20 +208,35 @@ def run(self): + license = "GPL", + platforms = "Posix", + cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, ++ 'build_py': build_py, 'build_scripts': build_scripts, + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b + }, + scripts = [ + 'bin/fail2ban-client', + 'bin/fail2ban-server', + 'bin/fail2ban-regex', ++ 'bin/fail2ban-testcases', + # 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper + ], + packages = [ + 'fail2ban', + 'fail2ban.client', + 'fail2ban.server', ++ 'fail2ban.tests', ++ 'fail2ban.tests.action_d', + ], ++ package_data = { ++ 'fail2ban.tests': ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/files') ++ for f in w[2]] + ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/config') ++ for f in w[2]] + ++ [ join(w[0], f).replace("fail2ban/tests/", "", 1) ++ for w in os.walk('fail2ban/tests/action_d') ++ for f in w[2]] ++ }, + data_files = [ + ('/etc/fail2ban', + glob("config/*.conf") + +From 5fa1f69264d3c23793f64c03c96737d54555e919 Mon Sep 17 00:00:00 2001 +From: Angelo Compagnucci +Date: Thu, 16 Jan 2020 12:28:42 +0100 +Subject: [PATCH 2/2] setup.py: adding option to install without tests + +Tests files are not always needed especially when installing on low +resource systems like an embedded one. +This patch adds the --without-tests option to skip installing the +tests files. + +Signed-off-by: Angelo Compagnucci +--- + setup.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/setup.py b/setup.py +index 8da292683..ce1eedf68 100755 +--- a/setup.py ++++ b/setup.py +@@ -119,9 +119,11 @@ def update_scripts(self, dry_run=False): + class install_command_f2b(install): + user_options = install.user_options + [ + ('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'), ++ ('without-tests', None, 'without tests files installation'), + ] + def initialize_options(self): + self.disable_2to3 = None ++ self.without_tests = None + install.initialize_options(self) + def finalize_options(self): + global _2to3 +@@ -132,6 +134,13 @@ def finalize_options(self): + cmdclass = self.distribution.cmdclass + cmdclass['build_py'] = build_py_2to3 + cmdclass['build_scripts'] = build_scripts_2to3 ++ if self.without_tests: ++ self.distribution.scripts.remove('bin/fail2ban-testcases') ++ ++ self.distribution.packages.remove('fail2ban.tests') ++ self.distribution.packages.remove('fail2ban.tests.action_d') ++ ++ del self.distribution.package_data['fail2ban.tests'] + install.finalize_options(self) + def run(self): + install.run(self) +@@ -208,7 +217,7 @@ def run(self): + license = "GPL", + platforms = "Posix", + cmdclass = { +- 'build_py': build_py, 'build_scripts': build_scripts, ++ 'build_py': build_py, 'build_scripts': build_scripts, + 'install_scripts': install_scripts_f2b, 'install': install_command_f2b + }, + scripts = [ diff --git a/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch new file mode 100644 index 0000000..de372f3 --- /dev/null +++ b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch @@ -0,0 +1,233 @@ +From 8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Wed, 15 Jan 2020 19:22:53 +0100 +Subject: [PATCH] closes #2596: fixed supplying of backend-related `logtype` to + the jail filter - don't merge it (provide as init parameter if not set in + definition section), init parameters don't affect config-cache (better + implementation as in #2387 and it covered now with new test) + +--- + MANIFEST | 2 ++ + fail2ban/client/configreader.py | 8 +++-- + fail2ban/client/fail2banregex.py | 7 ++--- + fail2ban/client/filterreader.py | 8 +++++ + fail2ban/client/jailreader.py | 7 ++--- + fail2ban/tests/clientreadertestcase.py | 17 +++++++++- + .../tests/config/filter.d/checklogtype.conf | 31 +++++++++++++++++++ + .../config/filter.d/checklogtype_test.conf | 12 +++++++ + fail2ban/tests/config/jail.conf | 25 +++++++++++++++ + 9 files changed, 104 insertions(+), 13 deletions(-) + create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf + create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf + +diff --git a/MANIFEST b/MANIFEST +index dbcc2f602..5680492af 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -226,6 +226,8 @@ fail2ban/tests/clientreadertestcase.py + fail2ban/tests/config/action.d/action.conf + fail2ban/tests/config/action.d/brokenaction.conf + fail2ban/tests/config/fail2ban.conf ++fail2ban/tests/config/filter.d/checklogtype.conf ++fail2ban/tests/config/filter.d/checklogtype_test.conf + fail2ban/tests/config/filter.d/simple.conf + fail2ban/tests/config/filter.d/test.conf + fail2ban/tests/config/filter.d/test.local +diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py +index 66b987b28..20709b724 100644 +--- a/fail2ban/client/configreader.py ++++ b/fail2ban/client/configreader.py +@@ -120,6 +120,10 @@ def has_section(self, sec): + except AttributeError: + return False + ++ def has_option(self, sec, opt, withDefault=True): ++ return self._cfg.has_option(sec, opt) if withDefault \ ++ else opt in self._cfg._sections.get(sec, {}) ++ + def merge_defaults(self, d): + self._cfg.get_defaults().update(d) + +@@ -261,8 +265,8 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False): + logSys.warning("'%s' not defined in '%s'. Using default one: %r" + % (optname, sec, optvalue)) + values[optname] = optvalue +- elif logSys.getEffectiveLevel() <= logLevel: +- logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec) ++ # elif logSys.getEffectiveLevel() <= logLevel: ++ # logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec) + except ValueError: + logSys.warning("Wrong value for '" + optname + "' in '" + sec + + "'. Using default one: '" + repr(optvalue) + "'") +diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py +index f6a4b141c..334c031f4 100644 +--- a/fail2ban/client/fail2banregex.py ++++ b/fail2ban/client/fail2banregex.py +@@ -372,11 +372,8 @@ def readRegex(self, value, regextype): + if not ret: + output( "ERROR: failed to load filter %s" % value ) + return False +- # overwrite default logtype (considering that the filter could specify this too in Definition/Init sections): +- if not fltOpt.get('logtype'): +- reader.merge_defaults({ +- 'logtype': ['file','journal'][int(self._backend.startswith("systemd"))] +- }) ++ # set backend-related options (logtype): ++ reader.applyAutoOptions(self._backend) + # get, interpolate and convert options: + reader.getOptions(None) + # show real options if expected: +diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py +index ede18dca2..413f125e6 100644 +--- a/fail2ban/client/filterreader.py ++++ b/fail2ban/client/filterreader.py +@@ -53,6 +53,14 @@ def setFile(self, fileName): + def getFile(self): + return self.__file + ++ def applyAutoOptions(self, backend): ++ # set init option to backend-related logtype, considering ++ # that the filter settings may be overwritten in its local: ++ if (not self._initOpts.get('logtype') and ++ not self.has_option('Definition', 'logtype', False) ++ ): ++ self._initOpts['logtype'] = ['file','journal'][int(backend.startswith("systemd"))] ++ + def convert(self): + stream = list() + opts = self.getCombined() +diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py +index 917a562ce..1d7db0dc9 100644 +--- a/fail2ban/client/jailreader.py ++++ b/fail2ban/client/jailreader.py +@@ -142,11 +142,8 @@ def getOptions(self): + ret = self.__filter.read() + if not ret: + raise JailDefError("Unable to read the filter %r" % filterName) +- if not filterOpt.get('logtype'): +- # overwrite default logtype backend-related (considering that the filter settings may be overwritten): +- self.__filter.merge_defaults({ +- 'logtype': ['file','journal'][int(self.__opts.get('backend', '').startswith("systemd"))] +- }) ++ # set backend-related options (logtype): ++ self.__filter.applyAutoOptions(self.__opts.get('backend', '')) + # merge options from filter as 'known/...' (all options unfiltered): + self.__filter.getOptions(self.__opts, all=True) + ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/') +diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py +index d39860f47..2c1d0a0e4 100644 +--- a/fail2ban/tests/clientreadertestcase.py ++++ b/fail2ban/tests/clientreadertestcase.py +@@ -328,7 +328,22 @@ def testOverrideFilterOptInJail(self): + self.assertFalse(len(o) > 2 and o[2].endswith('regex')) + i += 1 + if i > usednsidx: break +- ++ ++ def testLogTypeOfBackendInJail(self): ++ unittest.F2B.SkipIfCfgMissing(stock=True); # expected include of common.conf ++ # test twice to check cache works peoperly: ++ for i in (1, 2): ++ # backend-related, overwritten in definition, specified in init parameters: ++ for prefline in ('JRNL', 'FILE', 'TEST', 'INIT'): ++ jail = JailReader('checklogtype_'+prefline.lower(), basedir=IMPERFECT_CONFIG, ++ share_config=IMPERFECT_CONFIG_SHARE_CFG, force_enable=True) ++ self.assertTrue(jail.read()) ++ self.assertTrue(jail.getOptions()) ++ stream = jail.convert() ++ # 'JRNL' for systemd, 'FILE' for file backend, 'TEST' for custom logtype (overwrite it): ++ self.assertEqual([['set', jail.getName(), 'addfailregex', '^%s failure from $' % prefline]], ++ [o for o in stream if len(o) > 2 and o[2] == 'addfailregex']) ++ + def testSplitOption(self): + # Simple example + option = "mail-whois[name=SSH]" +diff --git a/fail2ban/tests/config/filter.d/checklogtype.conf b/fail2ban/tests/config/filter.d/checklogtype.conf +new file mode 100644 +index 000000000..4d700fffa +--- /dev/null ++++ b/fail2ban/tests/config/filter.d/checklogtype.conf +@@ -0,0 +1,31 @@ ++# Fail2Ban configuration file ++# ++ ++[INCLUDES] ++ ++# Read common prefixes (logtype is set in default section) ++before = ../../../../config/filter.d/common.conf ++ ++[Definition] ++ ++_daemon = test ++ ++failregex = ^/__prefix_line> failure from $ ++ignoreregex = ++ ++# following sections define prefix line considering logtype: ++ ++# backend-related (retrieved from backend, overwrite default): ++[lt_file] ++__prefix_line = FILE ++ ++[lt_journal] ++__prefix_line = JRNL ++ ++# specified in definition section of filter (see filter checklogtype_test.conf): ++[lt_test] ++__prefix_line = TEST ++ ++# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init): ++[lt_init] ++__prefix_line = INIT +diff --git a/fail2ban/tests/config/filter.d/checklogtype_test.conf b/fail2ban/tests/config/filter.d/checklogtype_test.conf +new file mode 100644 +index 000000000..a76f5fcfb +--- /dev/null ++++ b/fail2ban/tests/config/filter.d/checklogtype_test.conf +@@ -0,0 +1,12 @@ ++# Fail2Ban configuration file ++# ++ ++[INCLUDES] ++ ++# Read common prefixes (logtype is set in default section) ++before = checklogtype.conf ++ ++[Definition] ++ ++# overwrite logtype in definition (no backend anymore): ++logtype = test +\ No newline at end of file +diff --git a/fail2ban/tests/config/jail.conf b/fail2ban/tests/config/jail.conf +index de5bbbdc5..b1a1707b6 100644 +--- a/fail2ban/tests/config/jail.conf ++++ b/fail2ban/tests/config/jail.conf +@@ -74,3 +74,28 @@ journalmatch = _COMM=test + maxlines = 2 + usedns = no + enabled = false ++ ++[checklogtype_jrnl] ++filter = checklogtype ++backend = systemd ++action = action ++enabled = false ++ ++[checklogtype_file] ++filter = checklogtype ++backend = polling ++logpath = README.md ++action = action ++enabled = false ++ ++[checklogtype_test] ++filter = checklogtype_test ++backend = systemd ++action = action ++enabled = false ++ ++[checklogtype_init] ++filter = checklogtype_test[logtype=init] ++backend = systemd ++action = action ++enabled = false diff --git a/fail2ban.spec b/fail2ban.spec index 1125bfa..e238742 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -13,8 +13,12 @@ Patch0: fail2ban-partof.patch Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch # testIPAddr_CompareDNS: add missing network constraint Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch -# FIx test thread stack size on aarch64 +# Fix test thread stack size on aarch64 Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch +# Fix handling of journal in tests +Patch4: https://github.com/fail2ban/fail2ban/commit/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch +# Fix test install +Patch5: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2605.patch BuildRequires: python3-devel BuildRequires: /usr/bin/2to3 @@ -170,6 +174,9 @@ find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3 %install %py3_install +# Make symbolic link relative +ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python + %if 0%{?fedora} || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ @@ -214,10 +221,10 @@ EOF # Remove installed doc, use doc macro instead rm -r %{buildroot}%{_docdir}/%{name} + %check -# testSampleRegexsSSHD fails for some reason when run alongside all other tests -%python3 bin/fail2ban-testcases --no-network testSampleRegexsSSHD -%python3 bin/fail2ban-testcases --no-network -i testSampleRegexsSSHD +%python3 bin/fail2ban-testcases --verbosity=2 --no-network + %post server %if 0%{?fedora} || 0%{?rhel} >= 7 From 1a4d927b86e84de101162e1662b19bead9a69a76 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Mon, 20 Jan 2020 21:03:06 -0700 Subject: [PATCH 3/9] Move action.d/mail-whois-common.conf into fail2ban-server --- fail2ban.spec | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index e238742..652186b 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.11.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -272,7 +272,10 @@ fi %config(noreplace) %{_sysconfdir}/fail2ban %exclude %{_sysconfdir}/fail2ban/action.d/complain.conf %exclude %{_sysconfdir}/fail2ban/action.d/hostsdeny.conf -%exclude %{_sysconfdir}/fail2ban/action.d/mail-*.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois.conf +%exclude %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf %exclude %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf @@ -297,7 +300,10 @@ fi %files mail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf -%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-*.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-buffered.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois.conf +%config(noreplace) %{_sysconfdir}/fail2ban/action.d/mail-whois-lines.conf %files sendmail %config(noreplace) %{_sysconfdir}/fail2ban/action.d/sendmail-*.conf @@ -310,6 +316,9 @@ fi %changelog +* Tue Jan 21 2020 Orion Poplawski - 0.11.1-2 +- Move action.d/mail-whois-common.conf into fail2ban-server + * Tue Jan 14 2020 Orion Poplawski - 0.11.1-1 - Update to 0.11.1 From 143f9afcfe02d123b3dff047a58903ca0bef1e2f Mon Sep 17 00:00:00 2001 From: Fedora Release Engineering Date: Tue, 28 Jan 2020 18:04:56 +0000 Subject: [PATCH 4/9] - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild Signed-off-by: Fedora Release Engineering --- fail2ban.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fail2ban.spec b/fail2ban.spec index 652186b..5e72d32 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,7 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.11.1 -Release: 2%{?dist} +Release: 3%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -316,6 +316,9 @@ fi %changelog +* Tue Jan 28 2020 Fedora Release Engineering - 0.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + * Tue Jan 21 2020 Orion Poplawski - 0.11.1-2 - Move action.d/mail-whois-common.conf into fail2ban-server From 9c838cdfb9d50522ff80eb70caa1c6a6fb4518f2 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Fri, 29 Nov 2019 19:33:59 -0700 Subject: [PATCH 5/9] Add SELinux policy --- Makefile | 26 +++++ fail2ban.fc | 9 ++ fail2ban.if | 313 ++++++++++++++++++++++++++++++++++++++++++++++++++ fail2ban.spec | 51 +++++++- fail2ban.te | 190 ++++++++++++++++++++++++++++++ 5 files changed, 588 insertions(+), 1 deletion(-) create mode 100644 Makefile create mode 100644 fail2ban.fc create mode 100644 fail2ban.if create mode 100644 fail2ban.te diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..70b552a --- /dev/null +++ b/Makefile @@ -0,0 +1,26 @@ +TARGET?=fail2ban +MODULES?=${TARGET:=.pp.bz2} +SHAREDIR?=/usr/share + +all: ${TARGET:=.pp.bz2} + +%.pp.bz2: %.pp + @echo Compressing $^ -\> $@ + bzip2 -9 $^ + +%.pp: %.te + make -f ${SHAREDIR}/selinux/devel/Makefile $@ + +clean: + rm -f *~ *.tc *.pp *.pp.bz2 + rm -rf tmp *.tar.gz + +man: install-policy + sepolicy manpage --path . --domain ${TARGET}_t + +install-policy: all + semodule -i ${TARGET}.pp.bz2 + +install: man + install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2 + install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/ diff --git a/fail2ban.fc b/fail2ban.fc new file mode 100644 index 0000000..4da938f --- /dev/null +++ b/fail2ban.fc @@ -0,0 +1,9 @@ +/etc/rc\.d/init\.d/fail2ban -- gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0) + +/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0) +/usr/bin/fail2ban-client -- gen_context(system_u:object_r:fail2ban_client_exec_t,s0) +/usr/bin/fail2ban-server -- gen_context(system_u:object_r:fail2ban_exec_t,s0) + +/var/lib/fail2ban(/.*)? gen_context(system_u:object_r:fail2ban_var_lib_t,s0) +/var/log/fail2ban\.log.* -- gen_context(system_u:object_r:fail2ban_log_t,s0) +/var/run/fail2ban.* gen_context(system_u:object_r:fail2ban_var_run_t,s0) diff --git a/fail2ban.if b/fail2ban.if new file mode 100644 index 0000000..94e1936 --- /dev/null +++ b/fail2ban.if @@ -0,0 +1,313 @@ +## Update firewall filtering to ban IP addresses with too many password failures. + +######################################## +## +## Execute a domain transition to run fail2ban. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans',` + gen_require(` + type fail2ban_t, fail2ban_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_exec_t, fail2ban_t) +') + +####################################### +## +## Execute the fail2ban client in +## the fail2ban client domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`fail2ban_domtrans_client',` + gen_require(` + type fail2ban_client_t, fail2ban_client_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t) +') + +####################################### +## +## Execute fail2ban client in the +## fail2ban client domain, and allow +## the specified role the fail2ban +## client domain. +## +## +## +## Domain allowed to transition. +## +## +## +## +## Role allowed access. +## +## +# +interface(`fail2ban_run_client',` + gen_require(` + attribute_role fail2ban_client_roles; + ') + + fail2ban_domtrans_client($1) + roleattribute $2 fail2ban_client_roles; +') + +##################################### +## +## Connect to fail2ban over a unix domain +## stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_stream_connect',` + gen_require(` + type fail2ban_t, fail2ban_var_run_t; + ') + + files_search_pids($1) + stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) +') + +######################################## +## +## Read and write inherited temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_inherited_tmp_files',` + gen_require(` + type fail2ban_tmp_t; + ') + + files_search_tmp($1) + allow $1 fail2ban_tmp_t:file rw_inherited_file_perms; +') + +######################################## +## +## Read and write to an fail2ba unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms; +') + +####################################### +## +## Do not audit attempts to use +## fail2ban file descriptors. +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_use_fds',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:fd use; +') + +####################################### +## +## Do not audit attempts to read and +## write fail2ban unix stream sockets +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_rw_stream_sockets',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## +## Read fail2ban lib files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_lib_files',` + gen_require(` + type fail2ban_var_lib_t; + ') + + files_search_var_lib($1) + read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t) +') + +######################################## +## +## Allow the specified domain to read fail2ban's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`fail2ban_read_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file read_file_perms; +') + +######################################## +## +## Allow the specified domain to append +## fail2ban log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_append_log',` + gen_require(` + type fail2ban_log_t; + ') + + logging_search_logs($1) + allow $1 fail2ban_log_t:dir list_dir_perms; + allow $1 fail2ban_log_t:file append_file_perms; +') + +######################################## +## +## Read fail2ban PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fail2ban_read_pid_files',` + gen_require(` + type fail2ban_var_run_t; + ') + + files_search_pids($1) + allow $1 fail2ban_var_run_t:file read_file_perms; +') + +######################################## +## +## dontaudit read and write an leaked file descriptors +## +## +## +## Domain to not audit. +## +## +# +interface(`fail2ban_dontaudit_leaks',` + gen_require(` + type fail2ban_t; + ') + + dontaudit $1 fail2ban_t:tcp_socket { read write }; + dontaudit $1 fail2ban_t:unix_dgram_socket { read write }; + dontaudit $1 fail2ban_t:unix_stream_socket { read write }; +') + +######################################## +## +## All of the rules required to administrate +## an fail2ban environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the fail2ban domain. +## +## +## +# +interface(`fail2ban_admin',` + gen_require(` + type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t; + type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t; + type fail2ban_client_t; + ') + + allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms; + ps_process_pattern($1, { fail2ban_t fail2ban_client_t }) + + tunable_policy(`deny_ptrace',`',` + allow $1 { fail2ban_t fail2ban_client_t }:process ptrace; + ') + + init_labeled_script_domtrans($1, fail2ban_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 fail2ban_initrc_exec_t system_r; + allow $2 system_r; + + logging_list_logs($1) + admin_pattern($1, fail2ban_log_t) + + files_list_pids($1) + admin_pattern($1, fail2ban_var_run_t) + + files_list_var_lib($1) + admin_pattern($1, fail2ban_var_lib_t) + + files_list_tmp($1) + admin_pattern($1, fail2ban_tmp_t) + + fail2ban_run_client($1, $2) +') diff --git a/fail2ban.spec b/fail2ban.spec index 5e72d32..27557e1 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,10 +1,15 @@ Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.11.1 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz +# SELinux policy +Source1: fail2ban.fc +Source2: fail2ban.if +Source3: fail2ban.te +Source4: Makefile # Give up being PartOf iptables and ipset for now # https://bugzilla.redhat.com/show_bug.cgi?id=1379141 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185 @@ -29,6 +34,7 @@ BuildArch: noarch %if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: systemd %endif +BuildRequires: selinux-policy-devel # Default components Requires: %{name}-firewalld = %{version}-%{release} Requires: %{name}-sendmail = %{version}-%{release} @@ -52,6 +58,16 @@ sub-packages are available to install support for other actions and configurations. +%package selinux +Summary: SELinux policies for Fail2Ban +%{?selinux_requires} +%global modulename fail2ban +%global selinuxtype targeted + +%description selinux +SELinux policies for Fail2Ban. + + %package server Summary: Core server component for Fail2Ban %if 0%{?fedora} || 0%{?rhel} >= 7 @@ -67,6 +83,7 @@ Requires(preun): /sbin/service %endif Requires: ipset Requires: iptables +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) %description server This package contains the core server components for Fail2Ban with minimal @@ -167,9 +184,12 @@ by default. sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf 2to3 --write --nobackups . find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + +# SELinux sources +cp -p %SOURCE1 %SOURCE2 %SOURCE3 . %build %py3_build +make -f %SOURCE4 %install %py3_install @@ -221,11 +241,32 @@ EOF # Remove installed doc, use doc macro instead rm -r %{buildroot}%{_docdir}/%{name} +# SELinux +# install policy modules +install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} +install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} + %check %python3 bin/fail2ban-testcases --verbosity=2 --no-network + +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} + + %post server %if 0%{?fedora} || 0%{?rhel} >= 7 %systemd_post fail2ban.service @@ -250,6 +291,11 @@ fi %files +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2 +%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name} +%license COPYING + %files server %doc README.md TODO ChangeLog COPYING doc/*.txt %{_bindir}/fail2ban-client @@ -316,6 +362,9 @@ fi %changelog +* Wed Feb 26 2020 Orion Poplawski - 0.11.1-4 +- Add SELinux policy + * Tue Jan 28 2020 Fedora Release Engineering - 0.11.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild diff --git a/fail2ban.te b/fail2ban.te new file mode 100644 index 0000000..0b5effb --- /dev/null +++ b/fail2ban.te @@ -0,0 +1,190 @@ +policy_module(fail2ban, 1.5.0) + +######################################## +# +# Declarations +# + +attribute_role fail2ban_client_roles; + +type fail2ban_t; +type fail2ban_exec_t; +init_daemon_domain(fail2ban_t, fail2ban_exec_t) + +type fail2ban_initrc_exec_t; +init_script_file(fail2ban_initrc_exec_t) + +type fail2ban_log_t; +logging_log_file(fail2ban_log_t) + +type fail2ban_var_lib_t; +files_type(fail2ban_var_lib_t) + +type fail2ban_var_run_t; +files_pid_file(fail2ban_var_run_t) + +type fail2ban_tmp_t; +files_tmp_file(fail2ban_tmp_t) + +type fail2ban_client_t; +type fail2ban_client_exec_t; +init_system_domain(fail2ban_client_t, fail2ban_client_exec_t) +role fail2ban_client_roles types fail2ban_client_t; + +######################################## +# +# Server Local policy +# + +allow fail2ban_t self:capability { dac_read_search sys_tty_config }; +allow fail2ban_t self:process { getpgid setsched signal }; +allow fail2ban_t self:fifo_file rw_fifo_file_perms; +allow fail2ban_t self:unix_stream_socket { accept connectto listen }; +allow fail2ban_t self:tcp_socket { accept listen }; +allow fail2ban_t self:netlink_netfilter_socket create_socket_perms; + +read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t) + +append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t) +logging_log_filetrans(fail2ban_t, fail2ban_log_t, file) + +manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t) +files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file }) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) +manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t) + +manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t) +files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) + +kernel_read_system_state(fail2ban_t) +kernel_read_network_state(fail2ban_t) + + +corecmd_exec_bin(fail2ban_t) +corecmd_exec_shell(fail2ban_t) + +corenet_all_recvfrom_netlabel(fail2ban_t) +corenet_tcp_sendrecv_generic_if(fail2ban_t) +corenet_tcp_sendrecv_generic_node(fail2ban_t) + +corenet_sendrecv_whois_client_packets(fail2ban_t) +corenet_tcp_connect_whois_port(fail2ban_t) +corenet_tcp_sendrecv_whois_port(fail2ban_t) + +dev_read_urand(fail2ban_t) + +domain_use_interactive_fds(fail2ban_t) +domain_dontaudit_read_all_domains_state(fail2ban_t) + +files_read_etc_runtime_files(fail2ban_t) +files_list_var(fail2ban_t) +files_dontaudit_list_tmp(fail2ban_t) + +fs_list_inotifyfs(fail2ban_t) +fs_getattr_all_fs(fail2ban_t) + +auth_use_nsswitch(fail2ban_t) + +logging_read_all_logs(fail2ban_t) +logging_read_audit_log(fail2ban_t) +logging_send_syslog_msg(fail2ban_t) +logging_read_syslog_pid(fail2ban_t) +logging_dontaudit_search_audit_logs(fail2ban_t) +logging_mmap_generic_logs(fail2ban_t) +logging_mmap_journal(fail2ban_t) + +mta_send_mail(fail2ban_t) + +sysnet_manage_config(fail2ban_t) + +optional_policy(` + apache_read_log(fail2ban_t) +') + +optional_policy(` + dbus_system_bus_client(fail2ban_t) + dbus_connect_system_bus(fail2ban_t) + + optional_policy(` + firewalld_dbus_chat(fail2ban_t) + ') +') + +optional_policy(` + ftp_read_log(fail2ban_t) +') + +optional_policy(` + gnome_dontaudit_search_config(fail2ban_t) +') + +optional_policy(` + iptables_domtrans(fail2ban_t) +') + +optional_policy(` + allow fail2ban_t self:capability sys_resource; + allow fail2ban_t self:process setrlimit; + journalctl_exec(fail2ban_t) +') + +optional_policy(` + libs_exec_ldconfig(fail2ban_t) +') + +optional_policy(` + rpm_exec(fail2ban_t) +') + +optional_policy(` + shorewall_domtrans(fail2ban_t) +') + +######################################## +# +# Client Local policy +# + +allow fail2ban_client_t self:capability { dac_read_search }; +allow fail2ban_client_t self:unix_stream_socket { create connect write read }; + +domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t) + +allow fail2ban_client_t fail2ban_t:process { rlimitinh }; + +dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access; +allow fail2ban_client_t fail2ban_var_run_t:dir write; +stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t) + +kernel_read_system_state(fail2ban_client_t) + +corecmd_exec_bin(fail2ban_client_t) + +dev_read_urand(fail2ban_client_t) +dev_read_rand(fail2ban_client_t) + +domain_use_interactive_fds(fail2ban_client_t) + +files_search_pids(fail2ban_client_t) + +auth_use_nsswitch(fail2ban_client_t) + +libs_exec_ldconfig(fail2ban_client_t) + +logging_getattr_all_logs(fail2ban_client_t) +logging_search_all_logs(fail2ban_client_t) +logging_read_audit_log(fail2ban_client_t) + +userdom_dontaudit_search_user_home_dirs(fail2ban_client_t) +userdom_use_user_terminals(fail2ban_client_t) + +optional_policy(` + apache_read_log(fail2ban_client_t) +') From e923ba837168bac553e8a17106f52d85a6248ac7 Mon Sep 17 00:00:00 2001 From: Orion Poplawski Date: Wed, 26 Feb 2020 19:54:14 -0700 Subject: [PATCH 6/9] Update to lastest selinux-policy-contrib --- fail2ban.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fail2ban.te b/fail2ban.te index 0b5effb..302f4bc 100644 --- a/fail2ban.te +++ b/fail2ban.te @@ -65,7 +65,7 @@ files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file) kernel_read_system_state(fail2ban_t) kernel_read_network_state(fail2ban_t) - +kernel_read_net_sysctls(fail2ban_t) corecmd_exec_bin(fail2ban_t) corecmd_exec_shell(fail2ban_t) @@ -79,6 +79,7 @@ corenet_tcp_connect_whois_port(fail2ban_t) corenet_tcp_sendrecv_whois_port(fail2ban_t) dev_read_urand(fail2ban_t) +dev_read_sysfs(fail2ban_t) domain_use_interactive_fds(fail2ban_t) domain_dontaudit_read_all_domains_state(fail2ban_t) From 3df6a1af6947b244143b4a4ad2f45c84ec6413e5 Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 18 Mar 2020 19:53:11 -0500 Subject: [PATCH 7/9] Commit fixes for Python 3.9. --- 2651.patch | 65 +++++++++++++++++++ ...c1cdd296530f331637c725bd2bb0549e01e6.patch | 54 +++++++++++++++ ...f30cdd855c41b80ebdde3fe2bc91cc94e594.patch | 34 ++-------- fail2ban.spec | 4 ++ 4 files changed, 130 insertions(+), 27 deletions(-) create mode 100644 2651.patch create mode 100644 343ec1cdd296530f331637c725bd2bb0549e01e6.patch diff --git a/2651.patch b/2651.patch new file mode 100644 index 0000000..520d5d2 --- /dev/null +++ b/2651.patch @@ -0,0 +1,65 @@ +From 781a25512b107828aff71998c19f2fa4dbf471c1 Mon Sep 17 00:00:00 2001 +From: "Sergey G. Brester" +Date: Fri, 6 Mar 2020 19:04:39 +0100 +Subject: [PATCH 1/4] travis CI: add 3.9-dev as target + +--- + .travis.yml | 1 + + 1 file changed, 1 insertion(+) + +--- a/fail2ban/server/jailthread.py ++++ b/fail2ban/server/jailthread.py +@@ -120,3 +120,6 @@ class JailThread(Thread): + ## python 2.x replace binding of private __bootstrap method: + if sys.version_info < (3,): # pragma: 3.x no cover + JailThread._Thread__bootstrap = JailThread._JailThread__bootstrap ++## python 3.9, restore isAlive method: ++elif not hasattr(JailThread, 'isAlive'): # pragma: 2.x no cover ++ JailThread.isAlive = JailThread.is_alive +--- a/fail2ban/tests/sockettestcase.py ++++ b/fail2ban/tests/sockettestcase.py +@@ -87,7 +87,7 @@ class Socket(LogCaptureTestCase): + def _stopServerThread(self): + serverThread = self.serverThread + # wait for end of thread : +- Utils.wait_for(lambda: not serverThread.isAlive() ++ Utils.wait_for(lambda: not serverThread.is_alive() + or serverThread.join(Utils.DEFAULT_SLEEP_TIME), unittest.F2B.maxWaitTime(10)) + self.serverThread = None + +@@ -98,7 +98,7 @@ class Socket(LogCaptureTestCase): + self.server.close() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + # clean : + self.server.stop() + self.assertFalse(self.server.isActive()) +@@ -139,7 +139,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + +@@ -180,7 +180,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + + def testLoopErrors(self): + # replace poll handler to produce error in loop-cycle: +@@ -216,7 +216,7 @@ class Socket(LogCaptureTestCase): + self.server.stop() + # wait for end of thread : + self._stopServerThread() +- self.assertFalse(serverThread.isAlive()) ++ self.assertFalse(serverThread.is_alive()) + self.assertFalse(self.server.isActive()) + self.assertFalse(os.path.exists(self.sock_name)) + diff --git a/343ec1cdd296530f331637c725bd2bb0549e01e6.patch b/343ec1cdd296530f331637c725bd2bb0549e01e6.patch new file mode 100644 index 0000000..fb597ad --- /dev/null +++ b/343ec1cdd296530f331637c725bd2bb0549e01e6.patch @@ -0,0 +1,54 @@ +From 343ec1cdd296530f331637c725bd2bb0549e01e6 Mon Sep 17 00:00:00 2001 +From: sebres +Date: Wed, 18 Mar 2020 20:37:25 +0100 +Subject: [PATCH] test-causes: avoid host-depending issue (mistakenly ignoring + IP 127.0.0.2 as own address) - replace loop-back addr with test sub-net addr + (and disable ignoreself) + +--- + fail2ban/tests/observertestcase.py | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py +index 8e9444548..e379ccd18 100644 +--- a/fail2ban/tests/observertestcase.py ++++ b/fail2ban/tests/observertestcase.py +@@ -36,7 +36,6 @@ + from ..server.observer import Observers, ObserverThread + from ..server.utils import Utils + from .utils import LogCaptureTestCase +-from ..server.filter import Filter + from .dummyjail import DummyJail + + from .databasetestcase import getFail2BanDb, Fail2BanDb +@@ -224,7 +223,7 @@ def testBanTimeIncr(self): + jail.actions.setBanTime(10) + jail.setBanTimeExtra('increment', 'true') + jail.setBanTimeExtra('multipliers', '1 2 4 8 16 32 64 128 256 512 1024 2048') +- ip = "127.0.0.2" ++ ip = "192.0.2.1" + # used as start and fromtime (like now but time independence, cause test case can run slow): + stime = int(MyTime.time()) + ticket = FailTicket(ip, stime, []) +@@ -385,10 +384,12 @@ def testBanTimeIncr(self): + + # two separate jails : + jail1 = DummyJail(backend='polling') ++ jail1.filter.ignoreSelf = False + jail1.setBanTimeExtra('increment', 'true') + jail1.database = self.db + self.db.addJail(jail1) + jail2 = DummyJail(name='DummyJail-2', backend='polling') ++ jail2.filter.ignoreSelf = False + jail2.database = self.db + self.db.addJail(jail2) + ticket1 = FailTicket(ip, stime, []) +@@ -477,7 +478,7 @@ def testObserver(self): + self.assertEqual(tickets, []) + + # add failure: +- ip = "127.0.0.2" ++ ip = "192.0.2.1" + ticket = FailTicket(ip, stime-120, []) + failManager = FailManager() + failManager.setMaxRetry(3) diff --git a/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch index de372f3..abc806c 100644 --- a/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch +++ b/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch @@ -20,11 +20,9 @@ Subject: [PATCH] closes #2596: fixed supplying of backend-related `logtype` to create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf -diff --git a/MANIFEST b/MANIFEST -index dbcc2f602..5680492af 100644 --- a/MANIFEST +++ b/MANIFEST -@@ -226,6 +226,8 @@ fail2ban/tests/clientreadertestcase.py +@@ -227,6 +227,8 @@ fail2ban/tests/clientreadertestcase.py fail2ban/tests/config/action.d/action.conf fail2ban/tests/config/action.d/brokenaction.conf fail2ban/tests/config/fail2ban.conf @@ -33,11 +31,9 @@ index dbcc2f602..5680492af 100644 fail2ban/tests/config/filter.d/simple.conf fail2ban/tests/config/filter.d/test.conf fail2ban/tests/config/filter.d/test.local -diff --git a/fail2ban/client/configreader.py b/fail2ban/client/configreader.py -index 66b987b28..20709b724 100644 --- a/fail2ban/client/configreader.py +++ b/fail2ban/client/configreader.py -@@ -120,6 +120,10 @@ def has_section(self, sec): +@@ -120,6 +120,10 @@ class ConfigReader(): except AttributeError: return False @@ -48,7 +44,7 @@ index 66b987b28..20709b724 100644 def merge_defaults(self, d): self._cfg.get_defaults().update(d) -@@ -261,8 +265,8 @@ def getOptions(self, sec, options, pOptions=None, shouldExist=False): +@@ -261,8 +265,8 @@ class ConfigReaderUnshared(SafeConfigPar logSys.warning("'%s' not defined in '%s'. Using default one: %r" % (optname, sec, optvalue)) values[optname] = optvalue @@ -59,11 +55,9 @@ index 66b987b28..20709b724 100644 except ValueError: logSys.warning("Wrong value for '" + optname + "' in '" + sec + "'. Using default one: '" + repr(optvalue) + "'") -diff --git a/fail2ban/client/fail2banregex.py b/fail2ban/client/fail2banregex.py -index f6a4b141c..334c031f4 100644 --- a/fail2ban/client/fail2banregex.py +++ b/fail2ban/client/fail2banregex.py -@@ -372,11 +372,8 @@ def readRegex(self, value, regextype): +@@ -372,11 +372,8 @@ class Fail2banRegex(object): if not ret: output( "ERROR: failed to load filter %s" % value ) return False @@ -77,11 +71,9 @@ index f6a4b141c..334c031f4 100644 # get, interpolate and convert options: reader.getOptions(None) # show real options if expected: -diff --git a/fail2ban/client/filterreader.py b/fail2ban/client/filterreader.py -index ede18dca2..413f125e6 100644 --- a/fail2ban/client/filterreader.py +++ b/fail2ban/client/filterreader.py -@@ -53,6 +53,14 @@ def setFile(self, fileName): +@@ -53,6 +53,14 @@ class FilterReader(DefinitionInitConfigR def getFile(self): return self.__file @@ -96,11 +88,9 @@ index ede18dca2..413f125e6 100644 def convert(self): stream = list() opts = self.getCombined() -diff --git a/fail2ban/client/jailreader.py b/fail2ban/client/jailreader.py -index 917a562ce..1d7db0dc9 100644 --- a/fail2ban/client/jailreader.py +++ b/fail2ban/client/jailreader.py -@@ -142,11 +142,8 @@ def getOptions(self): +@@ -149,11 +149,8 @@ class JailReader(ConfigReader): ret = self.__filter.read() if not ret: raise JailDefError("Unable to read the filter %r" % filterName) @@ -114,11 +104,9 @@ index 917a562ce..1d7db0dc9 100644 # merge options from filter as 'known/...' (all options unfiltered): self.__filter.getOptions(self.__opts, all=True) ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/') -diff --git a/fail2ban/tests/clientreadertestcase.py b/fail2ban/tests/clientreadertestcase.py -index d39860f47..2c1d0a0e4 100644 --- a/fail2ban/tests/clientreadertestcase.py +++ b/fail2ban/tests/clientreadertestcase.py -@@ -328,7 +328,22 @@ def testOverrideFilterOptInJail(self): +@@ -328,7 +328,22 @@ class JailReaderTest(LogCaptureTestCase) self.assertFalse(len(o) > 2 and o[2].endswith('regex')) i += 1 if i > usednsidx: break @@ -142,9 +130,6 @@ index d39860f47..2c1d0a0e4 100644 def testSplitOption(self): # Simple example option = "mail-whois[name=SSH]" -diff --git a/fail2ban/tests/config/filter.d/checklogtype.conf b/fail2ban/tests/config/filter.d/checklogtype.conf -new file mode 100644 -index 000000000..4d700fffa --- /dev/null +++ b/fail2ban/tests/config/filter.d/checklogtype.conf @@ -0,0 +1,31 @@ @@ -179,9 +164,6 @@ index 000000000..4d700fffa +# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init): +[lt_init] +__prefix_line = INIT -diff --git a/fail2ban/tests/config/filter.d/checklogtype_test.conf b/fail2ban/tests/config/filter.d/checklogtype_test.conf -new file mode 100644 -index 000000000..a76f5fcfb --- /dev/null +++ b/fail2ban/tests/config/filter.d/checklogtype_test.conf @@ -0,0 +1,12 @@ @@ -198,8 +180,6 @@ index 000000000..a76f5fcfb +# overwrite logtype in definition (no backend anymore): +logtype = test \ No newline at end of file -diff --git a/fail2ban/tests/config/jail.conf b/fail2ban/tests/config/jail.conf -index de5bbbdc5..b1a1707b6 100644 --- a/fail2ban/tests/config/jail.conf +++ b/fail2ban/tests/config/jail.conf @@ -74,3 +74,28 @@ journalmatch = _COMM=test diff --git a/fail2ban.spec b/fail2ban.spec index 27557e1..77698e5 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -24,6 +24,10 @@ Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf76619816 Patch4: https://github.com/fail2ban/fail2ban/commit/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch # Fix test install Patch5: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2605.patch +# Patch for Python 3.9 +# https://bugzilla.redhat.com/show_bug.cgi?id=1808347 +Patch6: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2651.patch +Patch7: https://github.com/fail2ban/fail2ban/commit/343ec1cdd296530f331637c725bd2bb0549e01e6.patch BuildRequires: python3-devel BuildRequires: /usr/bin/2to3 From a61ce58a32157d98e56650d2c34d1815fa36d91d Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Wed, 18 Mar 2020 19:58:01 -0500 Subject: [PATCH 8/9] Update for Python 3.9. --- fail2ban.spec | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 77698e5..0d892ad 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,7 +1,8 @@ -Summary: Daemon to ban hosts that cause multiple authentication errors Name: fail2ban Version: 0.11.1 -Release: 4%{?dist} +Release: 5%{?dist} +Summary: Daemon to ban hosts that cause multiple authentication errors + License: GPLv2+ URL: http://fail2ban.sourceforge.net/ Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -255,7 +256,6 @@ install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{ %python3 bin/fail2ban-testcases --verbosity=2 --no-network - %pre selinux %selinux_relabel_pre -s %{selinuxtype} @@ -366,6 +366,9 @@ fi %changelog +* Thu Mar 19 2020 Richard Shaw - 0.11.1-5 +- Update for Python 3.9. + * Wed Feb 26 2020 Orion Poplawski - 0.11.1-4 - Add SELinux policy From fe5d325c64f0fb945730be2689437c407f7028be Mon Sep 17 00:00:00 2001 From: Richard Shaw Date: Thu, 16 Apr 2020 07:26:35 -0500 Subject: [PATCH 9/9] Change default firewalld backend from ipset to rich-rules as ipset causes firewalld to use legacy iptables. Fixes RHBZ#1823746. Remove conditionals for EL versions less than 7. --- fail2ban.spec | 51 +++++++++++++++++---------------------------------- 1 file changed, 17 insertions(+), 34 deletions(-) diff --git a/fail2ban.spec b/fail2ban.spec index 0d892ad..22f73c2 100644 --- a/fail2ban.spec +++ b/fail2ban.spec @@ -1,6 +1,6 @@ Name: fail2ban Version: 0.11.1 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Daemon to ban hosts that cause multiple authentication errors License: GPLv2+ @@ -36,9 +36,7 @@ BuildRequires: /usr/bin/2to3 BuildRequires: python3-inotify BuildRequires: sqlite BuildArch: noarch -%if 0%{?fedora} || 0%{?rhel} >= 7 BuildRequires: systemd -%endif BuildRequires: selinux-policy-devel # Default components Requires: %{name}-firewalld = %{version}-%{release} @@ -75,17 +73,10 @@ SELinux policies for Fail2Ban. %package server Summary: Core server component for Fail2Ban -%if 0%{?fedora} || 0%{?rhel} >= 7 Requires: python3-systemd Requires(post): systemd Requires(preun): systemd Requires(postun): systemd -%else -Requires: initscripts -Requires(post): /sbin/chkconfig -Requires(preun): /sbin/chkconfig -Requires(preun): /sbin/service -%endif Requires: ipset Requires: iptables Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) @@ -185,13 +176,16 @@ by default. %prep %autosetup -p1 + # Use Fedora paths sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf 2to3 --write --nobackups . find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} + + # SELinux sources cp -p %SOURCE1 %SOURCE2 %SOURCE3 . + %build %py3_build make -f %SOURCE4 @@ -202,13 +196,8 @@ make -f %SOURCE4 # Make symbolic link relative ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python -%if 0%{?fedora} || 0%{?rhel} >= 7 mkdir -p %{buildroot}%{_unitdir} cp -p build/fail2ban.service %{buildroot}%{_unitdir}/ -%else -mkdir -p %{buildroot}%{_initddir} -install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban -%endif mkdir -p %{buildroot}%{_mandir}/man{1,5} install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5 @@ -219,21 +208,25 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/ mkdir -p %{buildroot}%{_tmpfilesdir} install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf + # Remove non-Linux actions rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf + # Remove config files for other distros rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf + # firewalld configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <] -banaction_allports = firewallcmd-ipset[actiontype=] +banaction = firewallcmd-rich-rules[actiontype=] +banaction_allports = firewallcmd-rich-rules[actiontype=] EOF + # systemd journal configuration cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf < %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <= 7 %systemd_post fail2ban.service -%else -/sbin/chkconfig --add %{name} -%endif %preun server -%if 0%{?fedora} || 0%{?rhel} >= 7 %systemd_preun fail2ban.service -%else -if [ $1 = 0 ]; then - /sbin/service %{name} stop > /dev/null 2>&1 - /sbin/chkconfig --del %{name} -fi -%endif -%if 0%{?fedora} || 0%{?rhel} >= 7 %postun server %systemd_postun_with_restart fail2ban.service -%endif + %files @@ -308,11 +290,7 @@ fi %{_bindir}/fail2ban-server %{python3_sitelib}/* %exclude %{python3_sitelib}/fail2ban/tests -%if 0%{?fedora} || 0%{?rhel} >= 7 %{_unitdir}/fail2ban.service -%else -%{_initddir}/fail2ban -%endif %{_mandir}/man1/fail2ban.1* %{_mandir}/man1/fail2ban-client.1* %{_mandir}/man1/fail2ban-python.1* @@ -366,6 +344,11 @@ fi %changelog +* Thu Apr 16 2020 Richard Shaw - 0.11.1-6 +- Change default firewalld backend from ipset to rich-rules as ipset causes + firewalld to use legacy iptables. Fixes RHBZ#1823746. +- Remove conditionals for EL versions less than 7. + * Thu Mar 19 2020 Richard Shaw - 0.11.1-5 - Update for Python 3.9.