search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
164 stars 165 forks source link

Need a generic watch logfiles interface #2048

Closed opoplawski closed 7 months ago

opoplawski commented 7 months ago

fail2ban needs to be able to read and watch just about any logfile. We already use:

logging_read_all_logs(fail2ban_t)
logging_read_audit_log(fail2ban_t)
logging_watch_generic_log_dirs(fail2ban_t)

But this doesn't seem to give us the following:

type=AVC msg=audit(1708626987.702:3040): avc:  denied  { watch } for  pid=38569 comm="fail2ban-server" path="/var/log/httpd" dev="sda2" ino=966417 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1708626987.702:3041): avc:  denied  { watch } for  pid=38569 comm="fail2ban-server" path="/var/log/httpd/error_log" dev="sda2" ino=966400 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file permissive=1

I see logging_watch_all_log_dirs_path - but that only gives permission for dirs. I think we need a logging_watch_all_logs interface.

Thoughts?

opoplawski commented 7 months ago

In the meantime I'm adding this to the fail2ban policy:

gen_require(`
        attribute logfile;
')
allow fail2ban_t logfile:dir { watch_dir_perms };
allow fail2ban_t logfile:file { watch_file_perms };
zpytela commented 7 months ago

Adding 2 interfaces, the logfile attribute should cover all log files except audit log which is intentional.

zpytela commented 7 months ago

As there were no comments, I am going to merge the PR as is.