From 283bb7f670f399e08fc7624d42e3d9e24f75d255 Mon Sep 17 00:00:00 2001
From: Filippo Bonazzi <filippo.bonazzi@suse.com>
Date: Wed, 15 Oct 2025 12:27:20 +0200
Subject: [PATCH] fail2ban: allow fail2ban to watch all log files and dirs
 (bsc#1251952)

---
 fail2ban.te | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/fail2ban.te b/fail2ban.te
index b19bdaa..5bc2394 100644
--- a/fail2ban.te
+++ b/fail2ban.te
@@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
-allow fail2ban_t fail2ban_log_t:file watch;
-gen_require(`
-        attribute logfile;
-')
-allow fail2ban_t logfile:dir { watch_dir_perms };
-allow fail2ban_t logfile:file { watch_file_perms };
 # Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
-gen_require(`
-	type var_log_t, auditd_log_t;
-')
-watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
-#logging_watch_audit_log_dirs(fail2ban_t)
-allow fail2ban_t var_log_t:dir search_dir_perms;
-watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
-logging_watch_generic_log_dirs(fail2ban_t)
+logging_watch_all_log_files(fail2ban_t)
+logging_watch_all_log_dirs(fail2ban_t)
+logging_watch_audit_log_files(fail2ban_t)
+logging_watch_audit_log_dirs(fail2ban_t)
 logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)