On 5/18/22 04:57, Orion Poplawski wrote:
On 5/17/22 20:45, Orion Poplawski wrote:
I'm getting the following error building fail2ban on EPEL9:
make[1]: Entering directory '/builddir/build/BUILD/fail2ban-0.11.2'
fail2ban.if:13: Error: duplicate definition of fail2ban_domtrans().
Original definition on 13.
fail2ban.if:33: Error: duplicate definition of
fail2ban_domtrans_client(). Original definition on 33.
fail2ban.if:60: Error: duplicate definition of fail2ban_run_client().
Original definition on 60.
fail2ban.if:80: Error: duplicate definition of
fail2ban_stream_connect(). Original definition on 80.
fail2ban.if:99: Error: duplicate definition of
fail2ban_rw_inherited_tmp_files(). Original definition on 99.
fail2ban.if:118: Error: duplicate definition of
fail2ban_rw_stream_sockets(). Original definition on 118.
fail2ban.if:137: Error: duplicate definition of
fail2ban_dontaudit_use_fds(). Original definition on 137.
fail2ban.if:156: Error: duplicate definition of
fail2ban_dontaudit_rw_stream_sockets(). Original definition on 156.
fail2ban.if:174: Error: duplicate definition of
fail2ban_read_lib_files(). Original definition on 174.
fail2ban.if:194: Error: duplicate definition of fail2ban_read_log().
Original definition on 194.
fail2ban.if:215: Error: duplicate definition of
fail2ban_append_log(). Original definition on 215.
fail2ban.if:235: Error: duplicate definition of
fail2ban_read_pid_files(). Original definition on 235.
fail2ban.if:254: Error: duplicate definition of
fail2ban_dontaudit_leaks(). Original definition on 254.
fail2ban.if:281: Error: duplicate definition of fail2ban_admin().
Original definition on 281.
Compiling targeted fail2ban module
fail2ban.te:102:ERROR 'syntax error' at token
'logging_watch_audit_log_files' on line 6330:
logging_watch_audit_log_files(fail2ban_t)
The .if errors don't seem to actually fail the build, but I'm still
curious if it's time to drop the fail2ban policy from selinux-policy
itself.
The latter seems to be a problem, but is fine on Fedora (through
F37). It also complains about other logging_watch_* macros.
What happened to this in EL9?
So, it looks like the policy in EL9 is old enough to not have these
macros. Any suggestions for how to conditionally support this?
Hi,
please see:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#Backwards_compatibility
You can find the missing interface here:
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/logging.if#L177
TLDR:
ifndef(`logging_watch_audit_log_files',`
interface(`logging_watch_audit_log_files',`
gen_require(`
type var_log_t, auditd_log_t;
')
watch_files_pattern($1, auditd_log_t, auditd_log_t)
')
')
Vit
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
