Fix SELinux policy to allow watch on var_log_t (bz#2083923)

fail2ban.spec

@@ -1,6 +1,6 @@
 Name: fail2ban
 Version: 0.11.2
-Release: 11%{?dist}
+Release: 12%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
 License: GPLv2+
@@ -407,6 +407,9 @@ fi
 
 
 %changelog
+* Wed May 18 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-12
+- Fix SELinux policy to allow watch on var_log_t (bz#2083923)
+
 * Fri Jan 28 2022 Orion Poplawski <orion@nwra.com> - 0.11.2-11
 - Require /usr/bin/mail instead of mailx
 

fail2ban.te

@@ -45,7 +45,6 @@ allow fail2ban_t self:netlink_netfilter_socket create_socket_perms;
 
 read_files_pattern(fail2ban_t, fail2ban_t, fail2ban_t)
 
-#allow fail2ban_t fail2ban_log_t:file watch;
 append_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 create_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
 setattr_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
@@ -100,10 +99,18 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
+allow fail2ban_t fail2ban_log_t:file watch;
+# Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
+gen_require(`
+	type var_log_t, auditd_log_t;
+')
+watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
 #logging_watch_audit_log_dirs(fail2ban_t)
-#logging_watch_generic_log_dirs(fail2ban_t)
+allow fail2ban_t var_log_t:dir search_dir_perms;
-#logging_watch_journal_dir(fail2ban_t)
+watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
+logging_watch_generic_log_dirs(fail2ban_t)
+logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)