Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.

https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.

04ff4c060cdc233af9a6deeb85a6523da0416f31.patch

@@ -0,0 +1,60 @@
+From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
+From: Nic Boet <nic@boet.cc>
+Date: Fri, 13 Jun 2025 16:44:57 -0500
+Subject: [PATCH] Dovecot 2.4 filter support
+
+Dovecot 2.4 release is a major upgrade
+Logger event structure has changed, all messages are now
+prefixed with:
+
+        "Login aborted: " <reason> "auth failed"
+
+Maintain 2.3 support as many folks have yet to migrate,
+community edition is still receiving cretial security patches
+
+Dovecot 2.4.1
+Python 3.12.10
+
+Signed-off-by: Nic Boet <nic@boet.cc>
+---
+ config/filter.d/dovecot.conf      | 2 ++
+ fail2ban/tests/files/logs/dovecot | 6 ++++++
+ 2 files changed, 8 insertions(+)
+
+diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
+index dc3ebbcd42..f49eebe726 100644
+--- a/config/filter.d/dovecot.conf
++++ b/config/filter.d/dovecot.conf
+@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
+ 
+ failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
+             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
++            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
+             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
+             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
+             <mdre-<mode>>
+@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
+ # DEV Notes:
+ # * the first regex is essentially a copy of pam-generic.conf
+ # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
++# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
+ #
+ # Author: Martin Waschbuesch
+ #         Daniel Black (rewrote with begin and end anchors)
+diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
+index 0e33296129..4f5a0b7867 100644
+--- a/fail2ban/tests/files/logs/dovecot
++++ b/fail2ban/tests/files/logs/dovecot
+@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
+ # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
+ Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
+ 
++# Dovecot version 2.4
++# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
++Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
++# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
++Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
++
+ # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
+ Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
+ 

54c0effceb998b73545073ac59c479d9d9bf19a4.patch

@@ -0,0 +1,23 @@
+From 54c0effceb998b73545073ac59c479d9d9bf19a4 Mon Sep 17 00:00:00 2001
+From: sebres <info@sebres.de>
+Date: Sun, 11 Aug 2024 12:10:12 +0200
+Subject: [PATCH] filter.d/sshd.conf: amend to #3747/#3812 (new ssh version
+ would log with `_COMM=sshd-session`)
+
+---
+ config/filter.d/sshd.conf | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/config/filter.d/sshd.conf b/config/filter.d/sshd.conf
+index 206b913a78..595e957f0b 100644
+--- a/config/filter.d/sshd.conf
++++ b/config/filter.d/sshd.conf
+@@ -126,7 +126,7 @@ ignoreregex =
+ 
+ maxlines = 1
+ 
+-journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd
++journalmatch = _SYSTEMD_UNIT=sshd.service + _COMM=sshd + _COMM=sshd-session
+ 
+ # DEV Notes:
+ #

fail2ban.spec

@@ -8,17 +8,14 @@
 %if %{defined rhel} && 0%{?rhel} < 10
 %define legacy_var_run 1
 %endif
-%if %{defined fedora} && 0%{?fedora} < 40
-%define legacy_var_run 1
-%endif
 
 Name: fail2ban
 Version: 1.1.0
-Release: 5%{?dist}
+Release: 15%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
 License: GPL-2.0-or-later
-URL: https://fail2ban.sourceforge.net
+URL: https://www.fail2ban.org
 Source0: https://github.com/%{name}/%{name}/archive/%{version}.tar.gz#/%{name}-%{version}.tar.gz
 Source1: https://github.com/%{name}/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz.asc
 # Releases are signed by Serg G. Brester (sebres) <info AT sebres.de>.  The
@@ -50,28 +47,27 @@ Patch2: https://github.com/fail2ban/fail2ban/commit/ab9d41e5309b417a3c7a84fa8f03
 Patch3: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3782.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=2295265
 Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728.patch
+# Upstream fix to also catch sshd-session logs
+# https://bugzilla.redhat.com/show_bug.cgi?id=2332945
+Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
+# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
+# https://bugzilla.redhat.com/show_bug.cgi?id=2426440
+Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
 
 
 BuildArch: noarch
 
-%if 0%{?rhel} && 0%{?rhel} < 8
-BuildRequires: python-devel
-BuildRequires: python-setuptools
-# For testcases
-BuildRequires: python-inotify
-%else
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
 # For testcases
 BuildRequires: python3-inotify
-%endif
 # using a python3_version-based conditional does not work here, so
 # this is a proxy for "Python version greater than 3.12". asyncore
 # and asynchat were dropped from cpython core in 3.12, these modules
 # make them available again. See:
 # https://github.com/fail2ban/fail2ban/issues/3487
 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991
-%if 0%{?fedora} > 38
+%if 0%{?fedora} || 0%{?rhel} >= 10
 BuildRequires: python3-pyasyncore
 BuildRequires: python3-pyasynchat
 %endif
@@ -79,7 +75,7 @@ BuildRequires: sqlite
 BuildRequires: systemd
 BuildRequires: selinux-policy-devel
 BuildRequires: make
-%if 0%{?fedora} >= 41
+%if 0%{?fedora} || 0%{?rhel} >= 11
 BuildRequires: bash-completion-devel
 %else
 BuildRequires: bash-completion
@@ -120,24 +116,14 @@ SELinux policies for Fail2Ban.
 
 %package server
 Summary: Core server component for Fail2Ban
-%if 0%{?rhel} && 0%{?rhel} < 8
-Requires: systemd-python
-Requires: ipset
-Requires: iptables
-%else
 Requires: python3-systemd
 Requires: nftables
-%endif
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
-%if 0%{?fedora} || 0%{?rhel} >= 8
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
-%else
-Requires: %{name}-selinux
-%endif
 # see note above in BuildRequires section
-%if 0%{?fedora} > 38
+%if 0%{?fedora} || 0%{?rhel} >= 10
 Requires: python3-pyasyncore
 Requires: python3-pyasynchat
 %endif
@@ -159,13 +145,7 @@ Requires: %{name}-server = %{version}-%{release}
 Requires: %{name}-shorewall = %{version}-%{release}
 %endif
 Requires: perl-interpreter
-%if 0%{?rhel} && 0%{?rhel} < 8
-Requires: python-inotify
-# No python3 support for gamin so epel only
-Requires: gamin-python
-%else
 Requires: python3-inotify
-%endif
 Requires: /usr/bin/whois
 
 %description all
@@ -255,11 +235,6 @@ by default.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
-# this test uses smtpd which is removed in Python 3.12, rewriting it
-# isn't trivial
-%if 0%{?fedora} > 38
-rm -f fail2ban/tests/action_d/test_smtp.py
-%endif
 
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
@@ -276,27 +251,26 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc
 sed -i "/use_2to3/d" setup.py
 
 
+%generate_buildrequires
+%pyproject_buildrequires
+
+
 %build
-%if 0%{?rhel} && 0%{?rhel} < 8
+%pyproject_wheel
-%py2_build
-%else
-%py3_build
-%endif
 make -f %SOURCE6
 
 
 %install
-%if 0%{?rhel} && 0%{?rhel} < 8
+%pyproject_install
-%py2_install
-# Make symbolic link relative
-ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python
-%else
-%py3_install
 ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
-%endif
+mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
+mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
+rmdir %{buildroot}%{python3_sitelib}%{_prefix}
 
 mkdir -p %{buildroot}%{_unitdir}
-cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
+# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
+# so we will do our own modification
+sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -307,6 +281,7 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
 
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
@@ -351,17 +326,7 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion
 
 
 %check
-%if 0%{?rhel} && 0%{?rhel} < 8
-%python2 bin/fail2ban-testcases --verbosity=2 --no-network
-%else
-%if 0%{?fedora} > 38
-# testRepairDb does not work with sqlite 3.42.0+
-# https://github.com/fail2ban/fail2ban/issues/3586
-%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb
-%else
 %python3 bin/fail2ban-testcases --verbosity=2 --no-network
-%endif
-%endif
 
 
 %pre selinux
@@ -401,13 +366,8 @@ fi
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
-%if 0%{?rhel} && 0%{?rhel} < 8
-%{python2_sitelib}/*
-%exclude %{python2_sitelib}/fail2ban/tests
-%else
 %{python3_sitelib}/*
 %exclude %{python3_sitelib}/fail2ban/tests
-%endif
 %{_unitdir}/fail2ban.service
 %{_datadir}/bash-completion/
 %{_mandir}/man1/fail2ban.1*
@@ -443,11 +403,7 @@ fi
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
-%if 0%{?rhel} && 0%{?rhel} < 8
-%{python2_sitelib}/fail2ban/tests
-%else
 %{python3_sitelib}/fail2ban/tests
-%endif
 
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
@@ -472,6 +428,37 @@ fi
 
 
 %changelog
+* Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
+- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
+
+* Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
+- Cleanup old conditionals
+
+* Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
+- Fix paths in fail2ban.service (rhbz#2399981)
+
+* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
+- Rebuilt for Python 3.14.0rc3 bytecode
+
+* Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
+- Move from setup.py to wheels per
+  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
+
+* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
+- Rebuilt for Python 3.14.0rc2 bytecode
+
+* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
+
+* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
+- Rebuilt for Python 3.14
+
+* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
+
+* Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
+- Add upstream fix for sshd filter (rhbz#2332945)
+
 * Wed Oct 16 2024 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-5
 - Add upstream patch for python distutils removal.
 

fail2ban.te

@@ -99,22 +99,12 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
-allow fail2ban_t fail2ban_log_t:file watch;
-gen_require(`
-        attribute logfile;
-')
-allow fail2ban_t logfile:dir { watch_dir_perms };
-allow fail2ban_t logfile:file { watch_file_perms };
 # Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
-gen_require(`
+logging_watch_all_log_files(fail2ban_t)
-	type var_log_t, auditd_log_t;
+logging_watch_all_log_dirs(fail2ban_t)
-')
+logging_watch_audit_log_files(fail2ban_t)
-watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
+logging_watch_audit_log_dirs(fail2ban_t)
-#logging_watch_audit_log_dirs(fail2ban_t)
-allow fail2ban_t var_log_t:dir search_dir_perms;
-watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
-logging_watch_generic_log_dirs(fail2ban_t)
 logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)