fail2ban: allow reading net sysctls

type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
author: Kenton Groombridge <concord@gentoo.org> 2024-05-06 15:58:20 -0400
committer: Kenton Groombridge <concord@gentoo.org> 2024-05-14 13:41:33 -0400
commit: dc612e94fc961e4039c1fba11c03e9f872888fbf (patch)
tree: 9020a2b0c406bf55cf2fe58ab7aefa5bdc38f4ef
parent: init: allow systemd to use sshd pidfds (diff)
download: hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.tar.gz
hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.tar.bz2
hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/services/fail2ban.te b/policy/modules/services/fail2ban.te
index af34769d3..dce03adca 100644
--- a/policy/modules/services/fail2ban.te
+++ b/policy/modules/services/fail2ban.te
@@ -62,6 +62,7 @@ manage_sock_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 manage_files_pattern(fail2ban_t, fail2ban_runtime_t, fail2ban_runtime_t)
 files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
 
+kernel_read_net_sysctls(fail2ban_t)
 kernel_read_system_state(fail2ban_t)
 kernel_read_vm_overcommit_sysctl(fail2ban_t)
 kernel_search_fs_sysctls(fail2ban_t)
author	Kenton Groombridge <concord@gentoo.org>	2024-05-06 15:58:20 -0400
committer	Kenton Groombridge <concord@gentoo.org>	2024-05-14 13:41:33 -0400
commit	dc612e94fc961e4039c1fba11c03e9f872888fbf (patch)
tree	9020a2b0c406bf55cf2fe58ab7aefa5bdc38f4ef
parent	init: allow systemd to use sshd pidfds (diff)
download	hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.tar.gz hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.tar.bz2 hardened-refpolicy-dc612e94fc961e4039c1fba11c03e9f872888fbf.zip