Change default firewalld backend from ipset to rich-rules as ipset causes

firewalld to use legacy iptables. Fixes RHBZ#1823746.
Remove conditionals for EL versions less than 7.

.gitignore

@@ -20,3 +20,4 @@ fail2ban-0.8.4.tar.bz2
 /fail2ban-0.10.3.1.tar.gz
 /fail2ban-0.10.4.tar.gz
 /fail2ban-0.10.5.tar.gz
+/fail2ban-0.11.1.tar.gz

2605.patch

@@ -0,0 +1,152 @@
+From 3965d690b137152b2a0a6a46989178b5566cfd8e Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Thu, 16 Jan 2020 12:05:13 +0100
+Subject: [PATCH 1/2] Revert "setup.py: adding option to install without tests"
+
+Test should actually removed from the stup data in finalize_options
+instead of being added back.
+
+This reverts commit 9b918bba2f672780fb4469294d80ba7deb6b8cab.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ setup.py | 41 ++++++++++++++++-------------------------
+ 1 file changed, 16 insertions(+), 25 deletions(-)
+
+diff --git a/setup.py b/setup.py
+index e476c5dd6..8da292683 100755
+--- a/setup.py
++++ b/setup.py
+@@ -119,11 +119,9 @@ def update_scripts(self, dry_run=False):
+ class install_command_f2b(install):
+ 	user_options = install.user_options + [
+ 		('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
+-		('without-tests', None, 'without tests files installation'),
+ 	]
+ 	def initialize_options(self):
+ 		self.disable_2to3 = None
+-		self.without_tests = None
+ 		install.initialize_options(self)
+ 	def finalize_options(self):
+ 		global _2to3
+@@ -134,28 +132,6 @@ def finalize_options(self):
+ 			cmdclass = self.distribution.cmdclass
+ 			cmdclass['build_py'] = build_py_2to3
+ 			cmdclass['build_scripts'] = build_scripts_2to3
+-		if not self.without_tests:
+-			self.distribution.scripts += [
+-				'bin/fail2ban-testcases',
+-			]
+-
+-			self.distribution.packages += [
+-				'fail2ban.tests',
+-				'fail2ban.tests.action_d',
+-			]
+-
+-			self.distribution.package_data = {
+-				'fail2ban.tests':
+-					[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-						for w in os.walk('fail2ban/tests/files')
+-						for f in w[2]] +
+-					[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-						for w in os.walk('fail2ban/tests/config')
+-						for f in w[2]] +
+-					[ join(w[0], f).replace("fail2ban/tests/", "", 1)
+-						for w in os.walk('fail2ban/tests/action_d')
+-						for f in w[2]]
+-			}
+ 		install.finalize_options(self)
+ 	def run(self):
+ 		install.run(self)
+@@ -232,20 +208,35 @@ def run(self):
+ 	license = "GPL",
+ 	platforms = "Posix",
+ 	cmdclass = {
+-		'build_py': build_py, 'build_scripts': build_scripts,
++		'build_py': build_py, 'build_scripts': build_scripts, 
+ 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+ 	},
+ 	scripts = [
+ 		'bin/fail2ban-client',
+ 		'bin/fail2ban-server',
+ 		'bin/fail2ban-regex',
++		'bin/fail2ban-testcases',
+ 		# 'bin/fail2ban-python', -- link (binary), will be installed via install_scripts_f2b wrapper
+ 	],
+ 	packages = [
+ 		'fail2ban',
+ 		'fail2ban.client',
+ 		'fail2ban.server',
++		'fail2ban.tests',
++		'fail2ban.tests.action_d',
+ 	],
++	package_data = {
++		'fail2ban.tests':
++			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
++				for w in os.walk('fail2ban/tests/files')
++				for f in w[2]] +
++			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
++				for w in os.walk('fail2ban/tests/config')
++				for f in w[2]] +
++			[ join(w[0], f).replace("fail2ban/tests/", "", 1)
++				for w in os.walk('fail2ban/tests/action_d')
++				for f in w[2]]
++	},
+ 	data_files = [
+ 		('/etc/fail2ban',
+ 			glob("config/*.conf")
+
+From 5fa1f69264d3c23793f64c03c96737d54555e919 Mon Sep 17 00:00:00 2001
+From: Angelo Compagnucci <angelo@amarulasolutions.com>
+Date: Thu, 16 Jan 2020 12:28:42 +0100
+Subject: [PATCH 2/2] setup.py: adding option to install without tests
+
+Tests files are not always needed especially when installing on low
+resource systems like an embedded one.
+This patch adds the --without-tests option to skip installing the
+tests files.
+
+Signed-off-by: Angelo Compagnucci <angelo@amarulasolutions.com>
+---
+ setup.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/setup.py b/setup.py
+index 8da292683..ce1eedf68 100755
+--- a/setup.py
++++ b/setup.py
+@@ -119,9 +119,11 @@ def update_scripts(self, dry_run=False):
+ class install_command_f2b(install):
+ 	user_options = install.user_options + [
+ 		('disable-2to3', None, 'Specify to deactivate 2to3, e.g. if the install runs from fail2ban test-cases.'),
++		('without-tests', None, 'without tests files installation'),
+ 	]
+ 	def initialize_options(self):
+ 		self.disable_2to3 = None
++		self.without_tests = None
+ 		install.initialize_options(self)
+ 	def finalize_options(self):
+ 		global _2to3
+@@ -132,6 +134,13 @@ def finalize_options(self):
+ 			cmdclass = self.distribution.cmdclass
+ 			cmdclass['build_py'] = build_py_2to3
+ 			cmdclass['build_scripts'] = build_scripts_2to3
++		if self.without_tests:
++			self.distribution.scripts.remove('bin/fail2ban-testcases')
++
++			self.distribution.packages.remove('fail2ban.tests')
++			self.distribution.packages.remove('fail2ban.tests.action_d')
++
++			del self.distribution.package_data['fail2ban.tests']
+ 		install.finalize_options(self)
+ 	def run(self):
+ 		install.run(self)
+@@ -208,7 +217,7 @@ def run(self):
+ 	license = "GPL",
+ 	platforms = "Posix",
+ 	cmdclass = {
+-		'build_py': build_py, 'build_scripts': build_scripts, 
++		'build_py': build_py, 'build_scripts': build_scripts,
+ 		'install_scripts': install_scripts_f2b, 'install': install_command_f2b
+ 	},
+ 	scripts = [

2651.patch

@@ -0,0 +1,65 @@
+From 781a25512b107828aff71998c19f2fa4dbf471c1 Mon Sep 17 00:00:00 2001
+From: "Sergey G. Brester" <serg.brester@sebres.de>
+Date: Fri, 6 Mar 2020 19:04:39 +0100
+Subject: [PATCH 1/4] travis CI: add 3.9-dev as target
+
+---
+ .travis.yml | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/fail2ban/server/jailthread.py
++++ b/fail2ban/server/jailthread.py
+@@ -120,3 +120,6 @@ class JailThread(Thread):
+ ## python 2.x replace binding of private __bootstrap method:
+ if sys.version_info < (3,): # pragma: 3.x no cover
+ 	JailThread._Thread__bootstrap = JailThread._JailThread__bootstrap
++## python 3.9, restore isAlive method:
++elif not hasattr(JailThread, 'isAlive'): # pragma: 2.x no cover
++	 JailThread.isAlive = JailThread.is_alive
+--- a/fail2ban/tests/sockettestcase.py
++++ b/fail2ban/tests/sockettestcase.py
+@@ -87,7 +87,7 @@ class Socket(LogCaptureTestCase):
+ 	def _stopServerThread(self):
+ 		serverThread = self.serverThread
+ 		# wait for end of thread :
+-		Utils.wait_for(lambda: not serverThread.isAlive() 
++		Utils.wait_for(lambda: not serverThread.is_alive()
+ 			or serverThread.join(Utils.DEFAULT_SLEEP_TIME), unittest.F2B.maxWaitTime(10))
+ 		self.serverThread = None
+ 
+@@ -98,7 +98,7 @@ class Socket(LogCaptureTestCase):
+ 		self.server.close()
+ 		# wait for end of thread :
+ 		self._stopServerThread()
+-		self.assertFalse(serverThread.isAlive())
++		self.assertFalse(serverThread.is_alive())
+ 		# clean :
+ 		self.server.stop()
+ 		self.assertFalse(self.server.isActive())
+@@ -139,7 +139,7 @@ class Socket(LogCaptureTestCase):
+ 		self.server.stop()
+ 		# wait for end of thread :
+ 		self._stopServerThread()
+-		self.assertFalse(serverThread.isAlive())
++		self.assertFalse(serverThread.is_alive())
+ 		self.assertFalse(self.server.isActive())
+ 		self.assertFalse(os.path.exists(self.sock_name))
+ 
+@@ -180,7 +180,7 @@ class Socket(LogCaptureTestCase):
+ 		self.server.stop()
+ 		# wait for end of thread :
+ 		self._stopServerThread()
+-		self.assertFalse(serverThread.isAlive())
++		self.assertFalse(serverThread.is_alive())
+ 
+ 	def testLoopErrors(self):
+ 		# replace poll handler to produce error in loop-cycle:
+@@ -216,7 +216,7 @@ class Socket(LogCaptureTestCase):
+ 		self.server.stop()
+ 		# wait for end of thread :
+ 		self._stopServerThread()
+-		self.assertFalse(serverThread.isAlive())
++		self.assertFalse(serverThread.is_alive())
+ 		self.assertFalse(self.server.isActive())
+ 		self.assertFalse(os.path.exists(self.sock_name))
+ 

343ec1cdd296530f331637c725bd2bb0549e01e6.patch

@@ -0,0 +1,54 @@
+From 343ec1cdd296530f331637c725bd2bb0549e01e6 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Wed, 18 Mar 2020 20:37:25 +0100
+Subject: [PATCH] test-causes: avoid host-depending issue (mistakenly ignoring
+ IP 127.0.0.2 as own address) - replace loop-back addr with test sub-net addr
+ (and disable ignoreself)
+
+---
+ fail2ban/tests/observertestcase.py | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/fail2ban/tests/observertestcase.py b/fail2ban/tests/observertestcase.py
+index 8e9444548..e379ccd18 100644
+--- a/fail2ban/tests/observertestcase.py
++++ b/fail2ban/tests/observertestcase.py
+@@ -36,7 +36,6 @@
+ from ..server.observer import Observers, ObserverThread
+ from ..server.utils import Utils
+ from .utils import LogCaptureTestCase
+-from ..server.filter import Filter
+ from .dummyjail import DummyJail
+ 
+ from .databasetestcase import getFail2BanDb, Fail2BanDb
+@@ -224,7 +223,7 @@ def testBanTimeIncr(self):
+ 		jail.actions.setBanTime(10)
+ 		jail.setBanTimeExtra('increment', 'true')
+ 		jail.setBanTimeExtra('multipliers', '1 2 4 8 16 32 64 128 256 512 1024 2048')
+-		ip = "127.0.0.2"
++		ip = "192.0.2.1"
+ 		# used as start and fromtime (like now but time independence, cause test case can run slow):
+ 		stime = int(MyTime.time())
+ 		ticket = FailTicket(ip, stime, [])
+@@ -385,10 +384,12 @@ def testBanTimeIncr(self):
+ 
+ 		# two separate jails :
+ 		jail1 = DummyJail(backend='polling')
++		jail1.filter.ignoreSelf = False
+ 		jail1.setBanTimeExtra('increment', 'true')
+ 		jail1.database = self.db
+ 		self.db.addJail(jail1)
+ 		jail2 = DummyJail(name='DummyJail-2', backend='polling')
++		jail2.filter.ignoreSelf = False
+ 		jail2.database = self.db
+ 		self.db.addJail(jail2)
+ 		ticket1 = FailTicket(ip, stime, [])
+@@ -477,7 +478,7 @@ def testObserver(self):
+ 		self.assertEqual(tickets, [])
+ 
+ 		# add failure:
+-		ip = "127.0.0.2"
++		ip = "192.0.2.1"
+ 		ticket = FailTicket(ip, stime-120, [])
+ 		failManager = FailManager()
+ 		failManager.setMaxRetry(3)

8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch

@@ -0,0 +1,213 @@
+From 8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594 Mon Sep 17 00:00:00 2001
+From: sebres <serg.brester@sebres.de>
+Date: Wed, 15 Jan 2020 19:22:53 +0100
+Subject: [PATCH] closes #2596: fixed supplying of backend-related `logtype` to
+ the jail filter - don't merge it (provide as init parameter if not set in
+ definition section), init parameters don't affect config-cache (better
+ implementation as in #2387 and it covered now with new test)
+
+---
+ MANIFEST                                      |  2 ++
+ fail2ban/client/configreader.py               |  8 +++--
+ fail2ban/client/fail2banregex.py              |  7 ++---
+ fail2ban/client/filterreader.py               |  8 +++++
+ fail2ban/client/jailreader.py                 |  7 ++---
+ fail2ban/tests/clientreadertestcase.py        | 17 +++++++++-
+ .../tests/config/filter.d/checklogtype.conf   | 31 +++++++++++++++++++
+ .../config/filter.d/checklogtype_test.conf    | 12 +++++++
+ fail2ban/tests/config/jail.conf               | 25 +++++++++++++++
+ 9 files changed, 104 insertions(+), 13 deletions(-)
+ create mode 100644 fail2ban/tests/config/filter.d/checklogtype.conf
+ create mode 100644 fail2ban/tests/config/filter.d/checklogtype_test.conf
+
+--- a/MANIFEST
++++ b/MANIFEST
+@@ -227,6 +227,8 @@ fail2ban/tests/clientreadertestcase.py
+ fail2ban/tests/config/action.d/action.conf
+ fail2ban/tests/config/action.d/brokenaction.conf
+ fail2ban/tests/config/fail2ban.conf
++fail2ban/tests/config/filter.d/checklogtype.conf
++fail2ban/tests/config/filter.d/checklogtype_test.conf
+ fail2ban/tests/config/filter.d/simple.conf
+ fail2ban/tests/config/filter.d/test.conf
+ fail2ban/tests/config/filter.d/test.local
+--- a/fail2ban/client/configreader.py
++++ b/fail2ban/client/configreader.py
+@@ -120,6 +120,10 @@ class ConfigReader():
+ 		except AttributeError:
+ 			return False
+ 
++	def has_option(self, sec, opt, withDefault=True):
++		return self._cfg.has_option(sec, opt) if withDefault \
++			else opt in self._cfg._sections.get(sec, {})
++
+ 	def merge_defaults(self, d):
+ 		self._cfg.get_defaults().update(d)
+ 
+@@ -261,8 +265,8 @@ class ConfigReaderUnshared(SafeConfigPar
+ 					logSys.warning("'%s' not defined in '%s'. Using default one: %r"
+ 								% (optname, sec, optvalue))
+ 					values[optname] = optvalue
+-				elif logSys.getEffectiveLevel() <= logLevel:
+-					logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec)
++				# elif logSys.getEffectiveLevel() <= logLevel:
++				# 	logSys.log(logLevel, "Non essential option '%s' not defined in '%s'.", optname, sec)
+ 			except ValueError:
+ 				logSys.warning("Wrong value for '" + optname + "' in '" + sec +
+ 							"'. Using default one: '" + repr(optvalue) + "'")
+--- a/fail2ban/client/fail2banregex.py
++++ b/fail2ban/client/fail2banregex.py
+@@ -372,11 +372,8 @@ class Fail2banRegex(object):
+ 			if not ret:
+ 				output( "ERROR: failed to load filter %s" % value )
+ 				return False
+-			# overwrite default logtype (considering that the filter could specify this too in Definition/Init sections):
+-			if not fltOpt.get('logtype'):
+-				reader.merge_defaults({
+-					'logtype': ['file','journal'][int(self._backend.startswith("systemd"))]
+-				})
++			# set backend-related options (logtype):
++			reader.applyAutoOptions(self._backend)
+ 			# get, interpolate and convert options:
+ 			reader.getOptions(None)
+ 			# show real options if expected:
+--- a/fail2ban/client/filterreader.py
++++ b/fail2ban/client/filterreader.py
+@@ -53,6 +53,14 @@ class FilterReader(DefinitionInitConfigR
+ 	def getFile(self):
+ 		return self.__file
+ 
++	def applyAutoOptions(self, backend):
++		# set init option to backend-related logtype, considering
++		# that the filter settings may be overwritten in its local:
++		if (not self._initOpts.get('logtype') and 
++		    not self.has_option('Definition', 'logtype', False)
++		  ):
++			self._initOpts['logtype'] = ['file','journal'][int(backend.startswith("systemd"))]
++
+ 	def convert(self):
+ 		stream = list()
+ 		opts = self.getCombined()
+--- a/fail2ban/client/jailreader.py
++++ b/fail2ban/client/jailreader.py
+@@ -149,11 +149,8 @@ class JailReader(ConfigReader):
+ 				ret = self.__filter.read()
+ 				if not ret:
+ 					raise JailDefError("Unable to read the filter %r" % filterName)
+-				if not filterOpt.get('logtype'):
+-					# overwrite default logtype backend-related (considering that the filter settings may be overwritten):
+-					self.__filter.merge_defaults({
+-						'logtype': ['file','journal'][int(self.__opts.get('backend', '').startswith("systemd"))]
+-					})
++				# set backend-related options (logtype):
++				self.__filter.applyAutoOptions(self.__opts.get('backend', ''))
+ 				# merge options from filter as 'known/...' (all options unfiltered):
+ 				self.__filter.getOptions(self.__opts, all=True)
+ 				ConfigReader.merge_section(self, self.__name, self.__filter.getCombined(), 'known/')
+--- a/fail2ban/tests/clientreadertestcase.py
++++ b/fail2ban/tests/clientreadertestcase.py
+@@ -328,7 +328,22 @@ class JailReaderTest(LogCaptureTestCase)
+ 			self.assertFalse(len(o) > 2 and o[2].endswith('regex'))
+ 			i += 1
+ 			if i > usednsidx: break
+-		
++
++	def testLogTypeOfBackendInJail(self):
++		unittest.F2B.SkipIfCfgMissing(stock=True); # expected include of common.conf
++		# test twice to check cache works peoperly:
++		for i in (1, 2):
++			# backend-related, overwritten in definition, specified in init parameters:
++			for prefline in ('JRNL', 'FILE', 'TEST', 'INIT'):
++				jail = JailReader('checklogtype_'+prefline.lower(), basedir=IMPERFECT_CONFIG,
++					share_config=IMPERFECT_CONFIG_SHARE_CFG, force_enable=True)
++				self.assertTrue(jail.read())
++				self.assertTrue(jail.getOptions())
++				stream = jail.convert()
++				# 'JRNL' for systemd, 'FILE' for file backend, 'TEST' for custom logtype (overwrite it):
++				self.assertEqual([['set', jail.getName(), 'addfailregex', '^%s failure from <HOST>$' % prefline]],
++					[o for o in stream if len(o) > 2 and o[2] == 'addfailregex'])
++
+ 	def testSplitOption(self):
+ 		# Simple example
+ 		option = "mail-whois[name=SSH]"
+--- /dev/null
++++ b/fail2ban/tests/config/filter.d/checklogtype.conf
+@@ -0,0 +1,31 @@
++# Fail2Ban configuration file
++#
++
++[INCLUDES]
++
++# Read common prefixes (logtype is set in default section)
++before = ../../../../config/filter.d/common.conf
++
++[Definition]
++
++_daemon = test
++
++failregex = ^<lt_<logtype>/__prefix_line> failure from <HOST>$
++ignoreregex = 
++
++# following sections define prefix line considering logtype:
++
++# backend-related (retrieved from backend, overwrite default):
++[lt_file]
++__prefix_line = FILE
++
++[lt_journal]
++__prefix_line = JRNL
++
++# specified in definition section of filter (see filter checklogtype_test.conf):
++[lt_test]
++__prefix_line = TEST
++
++# specified in init parameter of jail (see ../jail.conf, jail checklogtype_init):
++[lt_init]
++__prefix_line = INIT
+--- /dev/null
++++ b/fail2ban/tests/config/filter.d/checklogtype_test.conf
+@@ -0,0 +1,12 @@
++# Fail2Ban configuration file
++#
++
++[INCLUDES]
++
++# Read common prefixes (logtype is set in default section)
++before = checklogtype.conf
++
++[Definition]
++
++# overwrite logtype in definition (no backend anymore):
++logtype = test
+\ No newline at end of file
+--- a/fail2ban/tests/config/jail.conf
++++ b/fail2ban/tests/config/jail.conf
+@@ -74,3 +74,28 @@ journalmatch = _COMM=test
+ maxlines = 2
+ usedns = no
+ enabled = false
++
++[checklogtype_jrnl]
++filter = checklogtype
++backend = systemd
++action = action
++enabled = false
++
++[checklogtype_file]
++filter = checklogtype
++backend = polling
++logpath = README.md
++action = action
++enabled = false
++
++[checklogtype_test]
++filter = checklogtype_test
++backend = systemd
++action = action
++enabled = false
++
++[checklogtype_init]
++filter = checklogtype_test[logtype=init]
++backend = systemd
++action = action
++enabled = false

Makefile

@@ -0,0 +1,26 @@
+TARGET?=fail2ban
+MODULES?=${TARGET:=.pp.bz2}
+SHAREDIR?=/usr/share
+
+all: ${TARGET:=.pp.bz2}
+
+%.pp.bz2: %.pp
+	@echo Compressing $^ -\> $@
+	bzip2 -9 $^
+
+%.pp: %.te
+	make -f ${SHAREDIR}/selinux/devel/Makefile $@
+
+clean:
+	rm -f *~  *.tc *.pp *.pp.bz2
+	rm -rf tmp *.tar.gz
+
+man: install-policy
+	sepolicy manpage --path . --domain ${TARGET}_t
+
+install-policy: all
+	semodule -i ${TARGET}.pp.bz2
+
+install: man
+	install -D -m 644 ${TARGET}.pp.bz2 ${DESTDIR}${SHAREDIR}/selinux/packages/${TARGET}.pp.bz2
+	install -D -m 644 ${TARGET}_selinux.8 ${DESTDIR}${SHAREDIR}/man/man8/

fail2ban.fc

@@ -0,0 +1,9 @@
+/etc/rc\.d/init\.d/fail2ban	--	gen_context(system_u:object_r:fail2ban_initrc_exec_t,s0)
+
+/usr/bin/fail2ban	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/usr/bin/fail2ban-client	--	gen_context(system_u:object_r:fail2ban_client_exec_t,s0)
+/usr/bin/fail2ban-server	--	gen_context(system_u:object_r:fail2ban_exec_t,s0)
+
+/var/lib/fail2ban(/.*)?	gen_context(system_u:object_r:fail2ban_var_lib_t,s0)
+/var/log/fail2ban\.log.*	--	gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.*	gen_context(system_u:object_r:fail2ban_var_run_t,s0)

fail2ban.if

@@ -0,0 +1,313 @@
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+##	Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+	gen_require(`
+		type fail2ban_t, fail2ban_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, fail2ban_exec_t, fail2ban_t)
+')
+
+#######################################
+## <summary>
+##  Execute the fail2ban client in
+##  the fail2ban client domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_domtrans_client',`
+    gen_require(`
+        type fail2ban_client_t, fail2ban_client_exec_t;
+    ')
+
+    corecmd_search_bin($1)
+    domtrans_pattern($1, fail2ban_client_exec_t, fail2ban_client_t)
+')
+
+#######################################
+## <summary>
+##  Execute fail2ban client in the
+##  fail2ban client domain, and allow
+##  the specified role the fail2ban
+##  client domain.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain allowed to transition.
+##  </summary>
+## </param>
+## <param name="role">
+##  <summary>
+##  Role allowed access.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_run_client',`
+    gen_require(`
+        attribute_role fail2ban_client_roles;
+    ')
+
+    fail2ban_domtrans_client($1)
+    roleattribute $2 fail2ban_client_roles;
+')
+
+#####################################
+## <summary>
+##	Connect to fail2ban over a unix domain
+##	stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_stream_connect',`
+	gen_require(`
+		type fail2ban_t, fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	stream_connect_pattern($1, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+')
+
+########################################
+## <summary>
+##	Read and write inherited temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_inherited_tmp_files',`
+	gen_require(`
+		type fail2ban_tmp_t;
+	')
+
+	files_search_tmp($1)
+	allow $1 fail2ban_tmp_t:file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##	Read and write to an fail2ba unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_rw_stream_sockets',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+	allow $1 fail2ban_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to use
+##  fail2ban file descriptors.
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_use_fds',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:fd use;
+')
+
+#######################################
+## <summary>
+##  Do not audit attempts to read and
+##  write fail2ban unix stream sockets
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain to not audit.
+##  </summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_rw_stream_sockets',`
+    gen_require(`
+        type fail2ban_t;
+    ')
+
+    dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	Read fail2ban lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_lib_files',`
+	gen_require(`
+		type fail2ban_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, fail2ban_var_lib_t, fail2ban_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow the specified domain to append
+##	fail2ban log files.
+## </summary>
+## <param name="domain">
+## 	<summary>
+##	Domain allowed access.
+## 	</summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+	gen_require(`
+		type fail2ban_log_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 fail2ban_log_t:dir list_dir_perms;
+	allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+##	Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+	gen_require(`
+		type fail2ban_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 fail2ban_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	dontaudit read and write an leaked file descriptors
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`fail2ban_dontaudit_leaks',`
+	gen_require(`
+		type fail2ban_t;
+	')
+
+ 	dontaudit $1 fail2ban_t:tcp_socket { read write };
+	dontaudit $1 fail2ban_t:unix_dgram_socket { read write };
+	dontaudit $1 fail2ban_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate 
+##	an fail2ban environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the fail2ban domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_admin',`
+	gen_require(`
+		type fail2ban_t, fail2ban_log_t, fail2ban_initrc_exec_t;
+		type fail2ban_var_run_t, fail2ban_var_lib_t, fail2ban_tmp_t;
+		type fail2ban_client_t;
+	')
+
+	allow $1 { fail2ban_t fail2ban_client_t }:process signal_perms;
+	ps_process_pattern($1, { fail2ban_t fail2ban_client_t })
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 { fail2ban_t fail2ban_client_t }:process ptrace;
+	')
+
+	init_labeled_script_domtrans($1, fail2ban_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 fail2ban_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_list_logs($1)
+	admin_pattern($1, fail2ban_log_t)
+
+	files_list_pids($1)
+	admin_pattern($1, fail2ban_var_run_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, fail2ban_var_lib_t)
+
+	files_list_tmp($1)
+	admin_pattern($1, fail2ban_tmp_t)
+
+	fail2ban_run_client($1, $2)
+')

fail2ban.spec

@@ -1,10 +1,16 @@
-Summary: Daemon to ban hosts that cause multiple authentication errors
 Name: fail2ban
-Version: 0.10.5
+Version: 0.11.1
-Release: 2%{?dist}
+Release: 6%{?dist}
+Summary: Daemon to ban hosts that cause multiple authentication errors
+
 License: GPLv2+
 URL: http://fail2ban.sourceforge.net/
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
+# SELinux policy
+Source1: fail2ban.fc
+Source2: fail2ban.if
+Source3: fail2ban.te
+Source4: Makefile
 # Give up being PartOf iptables and ipset for now
 # https://bugzilla.redhat.com/show_bug.cgi?id=1379141
 # https://bugzilla.redhat.com/show_bug.cgi?id=1573185
@@ -13,17 +19,25 @@ Patch0: fail2ban-partof.patch
 Patch1: https://github.com/fail2ban/fail2ban/commit/ec37b1942c4da76f7a0f71efe81bea6835466648.patch
 # testIPAddr_CompareDNS: add missing network constraint
 Patch2: https://github.com/fail2ban/fail2ban/commit/b158f83aa3795f387c8475ceb48df197a94a37e8.patch
-# FIx test thread stack size on aarch64
+# Fix test thread stack size on aarch64
 Patch3: https://github.com/fail2ban/fail2ban/commit/8694c547285c4030d4bf7661981673038e6e9829.patch
-
+# Fix handling of journal in tests
-BuildRequires: python-devel
+Patch4: https://github.com/fail2ban/fail2ban/commit/8dc6f30cdd855c41b80ebdde3fe2bc91cc94e594.patch
+# Fix test install
+Patch5: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2605.patch
+# Patch for Python 3.9
+# https://bugzilla.redhat.com/show_bug.cgi?id=1808347
+Patch6: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/2651.patch
+Patch7: https://github.com/fail2ban/fail2ban/commit/343ec1cdd296530f331637c725bd2bb0549e01e6.patch
+
+BuildRequires: python3-devel
+BuildRequires: /usr/bin/2to3
 # For testcases
-BuildRequires: python-inotify
+BuildRequires: python3-inotify
 BuildRequires: sqlite
 BuildArch: noarch
-%if 0%{?fedora} || 0%{?rhel} >= 7
 BuildRequires: systemd
-%endif
+BuildRequires: selinux-policy-devel
 # Default components
 Requires: %{name}-firewalld = %{version}-%{release}
 Requires: %{name}-sendmail = %{version}-%{release}
@@ -47,21 +61,25 @@ sub-packages are available to install support for other actions and
 configurations.
 
 
+%package selinux
+Summary: SELinux policies for Fail2Ban
+%{?selinux_requires}
+%global modulename fail2ban
+%global selinuxtype targeted
+
+%description selinux
+SELinux policies for Fail2Ban.
+
+
 %package server
 Summary: Core server component for Fail2Ban
-%if 0%{?fedora} || 0%{?rhel} >= 7
+Requires: python3-systemd
-Requires: systemd-python
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-%else
-Requires: initscripts
-Requires(post): /sbin/chkconfig
-Requires(preun): /sbin/chkconfig
-Requires(preun): /sbin/service
-%endif
 Requires: ipset
 Requires: iptables
+Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
 
 %description server
 This package contains the core server components for Fail2Ban with minimal
@@ -79,9 +97,10 @@ Requires: %{name}-server = %{version}-%{release}
 Requires: %{name}-shorewall = %{version}-%{release}
 # Currently this breaks jails that don't log to the journal
 #Requires: %{name}-systemd = %{version}-%{release}
-Requires: gamin-python
+# No python3 support for gamin
-Requires: perl
+#Requires: gamin-python
-Requires: python-inotify
+Requires: perl-interpreter
+Requires: python3-inotify
 Requires: /usr/bin/whois
 
 %description all
@@ -160,20 +179,25 @@ by default.
 
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
+2to3 --write --nobackups .
+find -type f -exec sed -i -e '1s,^#!/usr/bin/python *,#!/usr/bin/python%{python3_version},' {} +
+
+# SELinux sources
+cp -p %SOURCE1 %SOURCE2 %SOURCE3 .
+
 
 %build
-%py_build
+%py3_build
+make -f %SOURCE4
 
 %install
-%py_install
+%py3_install
+
+# Make symbolic link relative
+ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
 
-%if 0%{?fedora} || 0%{?rhel} >= 7
 mkdir -p %{buildroot}%{_unitdir}
 cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
-%else
-mkdir -p %{buildroot}%{_initddir}
-install -p -m 755 files/redhat-initd %{buildroot}%{_initddir}/fail2ban
-%endif
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -182,25 +206,27 @@ install -p -m 644 files/fail2ban-logrotate %{buildroot}%{_sysconfdir}/logrotate.
 install -d -m 0755 %{buildroot}/run/fail2ban/
 install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
-%if 0%{?fedora} || 0%{?rhel} >= 7
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
-%endif
+
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/{ipfilter,pf,ufw}.conf
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/osx-*.conf
+
 # Remove config files for other distros
 rm -f %{buildroot}%{_sysconfdir}/fail2ban/paths-{arch,debian,freebsd,opensuse,osx}.conf
+
 # firewalld configuration
 cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-firewalld.conf <<EOF
 # This file is part of the fail2ban-firewalld package to configure the use of
 # the firewalld actions as the default actions.  You can remove this package
 # (along with the empty fail2ban meta-package) if you do not use firewalld
 [DEFAULT]
-banaction = firewallcmd-ipset[actiontype=<multiport>]
+banaction = firewallcmd-rich-rules[actiontype=<multiport>]
-banaction_allports = firewallcmd-ipset[actiontype=<allports>]
+banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]
 EOF
+
 # systemd journal configuration
 cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
 # This file is part of the fail2ban-systemd package to configure the use of
@@ -210,53 +236,61 @@ cat > %{buildroot}%{_sysconfdir}/%{name}/jail.d/00-systemd.conf <<EOF
 [DEFAULT]
 backend=systemd
 EOF
+
 # Remove installed doc, use doc macro instead
 rm -r %{buildroot}%{_docdir}/%{name}
 
+# SELinux
+# install policy modules
+install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+install -m 0644 %{modulename}.pp.bz2 %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype}
+
+
 %check
-# Need a UTF-8 locale to work
+%python3 bin/fail2ban-testcases --verbosity=2 --no-network
-export LANG=en_US.UTF-8
+
-# testSampleRegexsSSHD fails for some reason when run alongside all other tests
+
-%python2 bin/fail2ban-testcases --no-network testSampleRegexsSSHD
+%pre selinux
-%python2 bin/fail2ban-testcases --no-network -i testSampleRegexsSSHD
+%selinux_relabel_pre -s %{selinuxtype}
+
+%post selinux
+%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2
+
+%postun selinux
+if [ $1 -eq 0 ]; then
+    %selinux_modules_uninstall -s %{selinuxtype} %{modulename}
+fi
+
+%posttrans selinux
+%selinux_relabel_post -s %{selinuxtype}
+
 
 %post server
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %systemd_post fail2ban.service
-%else
-/sbin/chkconfig --add %{name}
-%endif
 
 %preun server
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %systemd_preun fail2ban.service
-%else
-if [ $1 = 0 ]; then
-  /sbin/service %{name} stop > /dev/null 2>&1
-  /sbin/chkconfig --del %{name}
-fi
-%endif
 
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %postun server
 %systemd_postun_with_restart fail2ban.service
-%endif
+
 
 %files
 
+%files selinux
+%{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
+%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{name}
+%license COPYING
+
 %files server
 %doc README.md TODO ChangeLog COPYING doc/*.txt
 %{_bindir}/fail2ban-client
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
-%{python2_sitelib}/*
+%{python3_sitelib}/*
-%exclude %{python2_sitelib}/fail2ban/tests
+%exclude %{python3_sitelib}/fail2ban/tests
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %{_unitdir}/fail2ban.service
-%else
-%{_initddir}/fail2ban
-%endif
 %{_mandir}/man1/fail2ban.1*
 %{_mandir}/man1/fail2ban-client.1*
 %{_mandir}/man1/fail2ban-python.1*
@@ -274,9 +308,7 @@ fi
 %exclude %{_sysconfdir}/fail2ban/action.d/shorewall.conf
 %exclude %{_sysconfdir}/fail2ban/jail.d/*.conf
 %config(noreplace) %{_sysconfdir}/logrotate.d/fail2ban
-%if 0%{?fedora} || 0%{?rhel} >= 7
 %{_tmpfilesdir}/fail2ban.conf
-%endif
 %dir %{_localstatedir}/lib/fail2ban/
 %dir /run/%{name}/
 %ghost %verify(not size mtime md5) /run/%{name}/%{name}.pid
@@ -292,7 +324,7 @@ fi
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
-%{python2_sitelib}/fail2ban/tests
+%{python3_sitelib}/fail2ban/tests
 
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
@@ -312,24 +344,104 @@ fi
 
 
 %changelog
-* Tue Jan 21 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-2
+* Thu Apr 16 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-6
+- Change default firewalld backend from ipset to rich-rules as ipset causes
+  firewalld to use legacy iptables. Fixes RHBZ#1823746.
+- Remove conditionals for EL versions less than 7.
+
+* Thu Mar 19 2020 Richard Shaw <hobbes1069@gmail.com> - 0.11.1-5
+- Update for Python 3.9.
+
+* Wed Feb 26 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-4
+- Add SELinux policy
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.11.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Tue Jan 21 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-2
 - Move action.d/mail-whois-common.conf into fail2ban-server
 
+* Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.11.1-1
+- Update to 0.11.1
+
 * Tue Jan 14 2020 Orion Poplawski <orion@nwra.com> - 0.10.5-1
 - Update to 0.10.5
 
-* Sat Nov 23 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-1
+* Thu Nov 21 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-8
-- Update to 0.10.4
 - Define banaction_allports for firewalld, update banaction (bz#1775175)
 - Update sendmail-reject with TLSMTA & MSA port IDs (bz#1722625)
+
+* Thu Oct 31 2019 Orion Poplawski <orion@nwra.com> - 0.10.4-7
 - Remove config files for other distros (bz#1533113)
 
+* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-6
+- Rebuilt for Python 3.8.0rc1 (#1748018)
+
+* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.10.4-5
+- Rebuilt for Python 3.8
+
+* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.4-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Sun Nov 18 2018 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 0.10.4-2
+- Drop explicit locale setting
+  See https://fedoraproject.org/wiki/Changes/Remove_glibc-langpacks-all_from_buildroot
+
+* Fri Oct 5 2018 Orion Poplawski <orion@nwra.com> - 0.10.4-1
+- Update to 0.10.4
+
+* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.3.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-2
+- Remove PartOf ipset.service (bug #1573185)
+
+* Tue Jun 19 2018 Orion Poplawski <orion@nwra.com> - 0.10.3.1-1
+- Update to 0.10.3.1
+
+* Tue Jun 19 2018 Miro Hrončok <mhroncok@redhat.com> - 0.10.2-2
+- Rebuilt for Python 3.7
+
+* Wed Mar 28 2018 Orion Poplawski <orion@nwra.com> - 0.10.2-1
+- Update to 0.10.2
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.10.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-3
+- Add upstream patch to fix ipset issue (bug #1525134)
+
+* Sat Dec 30 2017 Orion Poplawski <orion@nwra.com> - 0.10.1-2
+- Add upstream patch to fix buildroot issue
+
+* Tue Nov 14 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.1-1
+- Update to 0.10.1
+
+* Wed Sep 20 2017 Orion Poplawski <orion@cora.nwra.com> - 0.10.0-1
+- Update to 0.10.0
+
+* Wed Aug 16 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-4
+- Use BR /usr/bin/2to3
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.7-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Thu Jul 13 2017 Petr Pisar <ppisar@redhat.com> - 0.9.7-2
+- perl dependency renamed to perl-interpreter
+  <https://fedoraproject.org/wiki/Changes/perl_Package_to_Install_Core_Modules>
+
 * Wed Jul 12 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.7-1
 - Update to 0.9.7
 
-* Wed Feb 15 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-3
+* Wed Feb 15 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-4
 - Properly handle /run/fail2ban (bug #1422500)
 
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.6-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
 * Tue Jan 10 2017 Orion Poplawski <orion@cora.nwra.com> - 0.9.6-2
 - Add upstream patch to fix fail2ban-regex with journal
 
@@ -359,6 +471,12 @@ fi
 - Update to 0.9.5
 - Drop mysql patch applied upstream
 
+* Tue Jul 19 2016 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.9.4-6
+- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages
+
+* Tue Apr 5 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-5
+- Fix python3 usage (bug #1324113)
+
 * Sun Mar 27 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.4-4
 - Use %%{_tmpfilesdir} for systemd tmpfile config
 
@@ -372,6 +490,9 @@ fi
 - Update to 0.9.4
 - Use mariadb log path by default
 
+* Tue Feb 23 2016 Orion Poplawski <orion@cora.nwra.com> - 0.9.3-3
+- Use python3 (bug #1282498)
+
 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.9.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
 

fail2ban.te

@@ -0,0 +1,191 @@
+policy_module(fail2ban, 1.5.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute_role fail2ban_client_roles;
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+type fail2ban_initrc_exec_t;
+init_script_file(fail2ban_initrc_exec_t)
+
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+type fail2ban_var_lib_t;
+files_type(fail2ban_var_lib_t)
+
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+type fail2ban_tmp_t;
+files_tmp_file(fail2ban_tmp_t)
+
+type fail2ban_client_t;
+type fail2ban_client_exec_t;
+init_system_domain(fail2ban_client_t, fail2ban_client_exec_t)
+role fail2ban_client_roles types fail2ban_client_t;
+
+########################################
+#
+# Server Local policy
+#
+
+allow fail2ban_t self:capability { dac_read_search sys_tty_config };
+allow fail2ban_t self:process { getpgid setsched signal };
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket { accept connectto listen };
+allow fail2ban_t self:tcp_socket { accept listen };
+allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
+
+read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
+
+append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
+logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+manage_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+exec_files_pattern(fail2ban_t, fail2ban_tmp_t, fail2ban_tmp_t)
+files_tmp_filetrans(fail2ban_t, fail2ban_tmp_t, { dir file })
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
+
+manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, file)
+
+kernel_read_system_state(fail2ban_t)
+kernel_read_network_state(fail2ban_t)
+kernel_read_net_sysctls(fail2ban_t)
+
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+corenet_all_recvfrom_netlabel(fail2ban_t)
+corenet_tcp_sendrecv_generic_if(fail2ban_t)
+corenet_tcp_sendrecv_generic_node(fail2ban_t)
+
+corenet_sendrecv_whois_client_packets(fail2ban_t)
+corenet_tcp_connect_whois_port(fail2ban_t)
+corenet_tcp_sendrecv_whois_port(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+dev_read_sysfs(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+domain_dontaudit_read_all_domains_state(fail2ban_t)
+
+files_read_etc_runtime_files(fail2ban_t)
+files_list_var(fail2ban_t)
+files_dontaudit_list_tmp(fail2ban_t)
+
+fs_list_inotifyfs(fail2ban_t)
+fs_getattr_all_fs(fail2ban_t)
+
+auth_use_nsswitch(fail2ban_t)
+
+logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
+logging_send_syslog_msg(fail2ban_t)
+logging_read_syslog_pid(fail2ban_t)
+logging_dontaudit_search_audit_logs(fail2ban_t)
+logging_mmap_generic_logs(fail2ban_t)
+logging_mmap_journal(fail2ban_t)
+
+mta_send_mail(fail2ban_t)
+
+sysnet_manage_config(fail2ban_t)
+
+optional_policy(`
+	apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	dbus_system_bus_client(fail2ban_t)
+	dbus_connect_system_bus(fail2ban_t)
+
+	optional_policy(`
+		firewalld_dbus_chat(fail2ban_t)
+	')
+')
+
+optional_policy(`
+	ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+	gnome_dontaudit_search_config(fail2ban_t)
+')
+
+optional_policy(`
+	iptables_domtrans(fail2ban_t)
+')
+
+optional_policy(`
+	allow fail2ban_t self:capability sys_resource;
+	allow fail2ban_t self:process setrlimit;
+	journalctl_exec(fail2ban_t)
+')
+
+optional_policy(`
+	libs_exec_ldconfig(fail2ban_t)
+')
+
+optional_policy(`
+	rpm_exec(fail2ban_t)
+')
+
+optional_policy(`
+	shorewall_domtrans(fail2ban_t)
+')
+
+########################################
+#
+# Client Local policy
+#
+
+allow fail2ban_client_t self:capability { dac_read_search  };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+
+domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
+
+allow fail2ban_client_t fail2ban_t:process { rlimitinh };
+
+dontaudit fail2ban_client_t fail2ban_var_run_t:dir_file_class_set audit_access;
+allow fail2ban_client_t fail2ban_var_run_t:dir write;
+stream_connect_pattern(fail2ban_client_t, fail2ban_var_run_t, fail2ban_var_run_t, fail2ban_t)
+
+kernel_read_system_state(fail2ban_client_t)
+
+corecmd_exec_bin(fail2ban_client_t)
+
+dev_read_urand(fail2ban_client_t)
+dev_read_rand(fail2ban_client_t)
+
+domain_use_interactive_fds(fail2ban_client_t)
+
+files_search_pids(fail2ban_client_t)
+
+auth_use_nsswitch(fail2ban_client_t)
+
+libs_exec_ldconfig(fail2ban_client_t)
+
+logging_getattr_all_logs(fail2ban_client_t)
+logging_search_all_logs(fail2ban_client_t)
+logging_read_audit_log(fail2ban_client_t)
+
+userdom_dontaudit_search_user_home_dirs(fail2ban_client_t)
+userdom_use_user_terminals(fail2ban_client_t)
+
+optional_policy(`
+    apache_read_log(fail2ban_client_t)
+')

sources

@@ -1 +1 @@
-SHA512 (fail2ban-0.10.5.tar.gz) = 306153587a3fcda6e72856f0b7817ea76eda83cca84d5a9af2d182aaf06cc18379c31ae22b16f7544d988bf5abaf8e12df229c350a48bbdf01751a56c9be80c6
+SHA512 (fail2ban-0.11.1.tar.gz) = 019b088aa6375f98742ed101ef6f65adabca3324444d71d5b8597a8d1d22fa76b9f503660f0498643fe24a3b8e4368de916072a1ab77b8e2ea3eda41c3e0c8c6