04ff4c060cdc233af9a6deeb85a6523da0416f31.patch

@@ -1,60 +0,0 @@
-From 04ff4c060cdc233af9a6deeb85a6523da0416f31 Mon Sep 17 00:00:00 2001
-From: Nic Boet <nic@boet.cc>
-Date: Fri, 13 Jun 2025 16:44:57 -0500
-Subject: [PATCH] Dovecot 2.4 filter support
-
-Dovecot 2.4 release is a major upgrade
-Logger event structure has changed, all messages are now
-prefixed with:
-
-        "Login aborted: " <reason> "auth failed"
-
-Maintain 2.3 support as many folks have yet to migrate,
-community edition is still receiving cretial security patches
-
-Dovecot 2.4.1
-Python 3.12.10
-
-Signed-off-by: Nic Boet <nic@boet.cc>
----
- config/filter.d/dovecot.conf      | 2 ++
- fail2ban/tests/files/logs/dovecot | 6 ++++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/config/filter.d/dovecot.conf b/config/filter.d/dovecot.conf
-index dc3ebbcd42..f49eebe726 100644
---- a/config/filter.d/dovecot.conf
-+++ b/config/filter.d/dovecot.conf
-@@ -17,6 +17,7 @@ prefregex = ^%(__prefix_line)s(?:%(_auth_worker)s(?:\([^\)]+\))?: )?(?:%(__pam_a
- 
- failregex = ^authentication failure; logname=<F-ALT_USER1>\S*</F-ALT_USER1> uid=\S* euid=\S* tty=dovecot ruser=<F-USER>\S*</F-USER> rhost=<HOST>(?:\s+user=<F-ALT_USER>\S*</F-ALT_USER>)?\s*$
-             ^(?:Aborted login|Disconnected|Remote closed connection|Client has quit the connection)%(_bypass_reject_reason)s \((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\):(?: user=<<F-USER>[^>]*</F-USER>>,)?(?: method=\S+,)? rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-+            ^(?:Login aborted):\s*%(_bypass_reject_reason)s.*?\((?:auth failed, \d+ attempts(?: in \d+ secs)?|tried to use (?:disabled|disallowed) \S+ auth|proxy dest auth failed)\)(?:\s*\([^)]+\))?:\s*(?:user=<<F-USER>[^>]*</F-USER>>,?\s*)?(?:,?\s*method=\S+,\s*)?rip=<HOST>(?:[^>]*(?:, session=<\S+>)?)\s*$
-             ^pam\(\S+,<HOST>(?:,\S*)?\): pam_authenticate\(\) failed: (?:User not known to the underlying authentication module: \d+ Time\(s\)|Authentication failure \([Pp]assword mismatch\?\)|Permission denied)\s*$
-             ^[a-z\-]{3,15}\(\S*,<HOST>(?:,\S*)?\): (?:[Uu]nknown user|[Ii]nvalid credentials|[Pp]assword mismatch)
-             <mdre-<mode>>
-@@ -43,6 +44,7 @@ datepattern = {^LN-BEG}TAI64N
- # DEV Notes:
- # * the first regex is essentially a copy of pam-generic.conf
- # * Probably doesn't do dovecot sql/ldap backends properly (resolved in edit 21/03/2016)
-+# * Dovecot version 2.4 changed event log structure, line prior needed to maintain 2.3 support
- #
- # Author: Martin Waschbuesch
- #         Daniel Black (rewrote with begin and end anchors)
-diff --git a/fail2ban/tests/files/logs/dovecot b/fail2ban/tests/files/logs/dovecot
-index 0e33296129..4f5a0b7867 100644
---- a/fail2ban/tests/files/logs/dovecot
-+++ b/fail2ban/tests/files/logs/dovecot
-@@ -22,6 +22,12 @@ Jun 14 00:48:21 platypus dovecot: imap-login: Disconnected (auth failed, 1 attem
- # failJSON: { "time": "2005-06-23T00:52:43", "match": true , "host": "193.95.245.163" }
- Jun 23 00:52:43 vhost1-ua dovecot: pop3-login: Disconnected: Inactivity (auth failed, 1 attempts): user=<info>, method=PLAIN, rip=193.95.245.163, lip=176.214.13.210
- 
-+# Dovecot version 2.4
-+# failJSON: { "time": "2005-06-12T19:07:29", "match": true , "host": "192.0.2.241" }
-+Jun 12 19:07:29 hostname dovecot[241]: imap-login: Login aborted: Connection closed (auth failed, 3 attempts in 16 secs) (auth_failed): user=<test>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<9ZHq02g3J8S60fan>
-+# failJSON: { "time": "2005-06-13T16:35:56", "match": true , "host": "192.0.2.241" }
-+Jun 13 16:35:56 mx dovecot[241]: managesieve-login: Login aborted: Logged out (auth failed, 1 attempts in 10 secs) (auth_failed): user=<user@domain>, method=PLAIN, rip=192.0.2.241, lip=203.0.113.104, TLS, session=<Dp8j1Ho3suQYdo+k>
-+
- # failJSON: { "time": "2005-07-02T13:49:31", "match": true , "host": "192.51.100.13" }
- Jul 02 13:49:31 hostname dovecot[442]: pop3-login: Aborted login (auth failed, 1 attempts in 17 secs): user=<test>, method=PLAIN, rip=192.51.100.13, lip=203.0.113.17, session=<YADINsQCDs5BH8Pg>
- 

fail2ban.spec

@@ -8,10 +8,13 @@
 %if %{defined rhel} && 0%{?rhel} < 10
 %define legacy_var_run 1
 %endif
+%if %{defined fedora} && 0%{?fedora} < 40
+%define legacy_var_run 1
+%endif
 
 Name: fail2ban
 Version: 1.1.0
-Release: 15%{?dist}
+Release: 6%{?dist}
 Summary: Daemon to ban hosts that cause multiple authentication errors
 
 License: GPL-2.0-or-later
@@ -50,24 +53,28 @@ Patch4: https://patch-diff.githubusercontent.com/raw/fail2ban/fail2ban/pull/3728
 # Upstream fix to also catch sshd-session logs
 # https://bugzilla.redhat.com/show_bug.cgi?id=2332945
 Patch5: https://github.com/fail2ban/fail2ban/commit/54c0effceb998b73545073ac59c479d9d9bf19a4.patch
-# Needed for Dovecot change to loging format in 2.4, fixed in f2b version 1.1.1.
-# https://bugzilla.redhat.com/show_bug.cgi?id=2426440
-Patch6: https://github.com/fail2ban/fail2ban/commit/04ff4c060cdc233af9a6deeb85a6523da0416f31.patch
 
 
 BuildArch: noarch
 
+%if 0%{?rhel} && 0%{?rhel} < 8
+BuildRequires: python-devel
+BuildRequires: python-setuptools
+# For testcases
+BuildRequires: python-inotify
+%else
 BuildRequires: python3-devel
 BuildRequires: python3-setuptools
 # For testcases
 BuildRequires: python3-inotify
+%endif
 # using a python3_version-based conditional does not work here, so
 # this is a proxy for "Python version greater than 3.12". asyncore
 # and asynchat were dropped from cpython core in 3.12, these modules
 # make them available again. See:
 # https://github.com/fail2ban/fail2ban/issues/3487
 # https://bugzilla.redhat.com/show_bug.cgi?id=2219991
-%if 0%{?fedora} || 0%{?rhel} >= 10
+%if 0%{?fedora} > 38
 BuildRequires: python3-pyasyncore
 BuildRequires: python3-pyasynchat
 %endif
@@ -75,7 +82,7 @@ BuildRequires: sqlite
 BuildRequires: systemd
 BuildRequires: selinux-policy-devel
 BuildRequires: make
-%if 0%{?fedora} || 0%{?rhel} >= 11
+%if 0%{?fedora} >= 41
 BuildRequires: bash-completion-devel
 %else
 BuildRequires: bash-completion
@@ -116,14 +123,24 @@ SELinux policies for Fail2Ban.
 
 %package server
 Summary: Core server component for Fail2Ban
+%if 0%{?rhel} && 0%{?rhel} < 8
+Requires: systemd-python
+Requires: ipset
+Requires: iptables
+%else
 Requires: python3-systemd
 Requires: nftables
+%endif
 Requires(post): systemd
 Requires(preun): systemd
 Requires(postun): systemd
+%if 0%{?fedora} || 0%{?rhel} >= 8
 Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+%else
+Requires: %{name}-selinux
+%endif
 # see note above in BuildRequires section
-%if 0%{?fedora} || 0%{?rhel} >= 10
+%if 0%{?fedora} > 38
 Requires: python3-pyasyncore
 Requires: python3-pyasynchat
 %endif
@@ -145,7 +162,13 @@ Requires: %{name}-server = %{version}-%{release}
 Requires: %{name}-shorewall = %{version}-%{release}
 %endif
 Requires: perl-interpreter
+%if 0%{?rhel} && 0%{?rhel} < 8
+Requires: python-inotify
+# No python3 support for gamin so epel only
+Requires: gamin-python
+%else
 Requires: python3-inotify
+%endif
 Requires: /usr/bin/whois
 
 %description all
@@ -235,6 +258,11 @@ by default.
 %prep
 %{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}'
 %autosetup -p1
+# this test uses smtpd which is removed in Python 3.12, rewriting it
+# isn't trivial
+%if 0%{?fedora} > 38
+rm -f fail2ban/tests/action_d/test_smtp.py
+%endif
 
 # Use Fedora paths
 sed -i -e 's/^before = paths-.*/before = paths-fedora.conf/' config/jail.conf
@@ -251,26 +279,27 @@ sed -i 's|^/run/|/var/run/|' %{name}.fc
 sed -i "/use_2to3/d" setup.py
 
 
-%generate_buildrequires
-%pyproject_buildrequires
-
-
 %build
-%pyproject_wheel
+%if 0%{?rhel} && 0%{?rhel} < 8
+%py2_build
+%else
+%py3_build
+%endif
 make -f %SOURCE6
 
 
 %install
-%pyproject_install
+%if 0%{?rhel} && 0%{?rhel} < 8
+%py2_install
+# Make symbolic link relative
+ln -fs python2 %{buildroot}%{_bindir}/fail2ban-python
+%else
+%py3_install
 ln -fs python3 %{buildroot}%{_bindir}/fail2ban-python
-mv %{buildroot}%{python3_sitelib}/etc %{buildroot}
-mv %{buildroot}%{python3_sitelib}/%{_datadir} %{buildroot}%{_datadir}
-rmdir %{buildroot}%{python3_sitelib}%{_prefix}
+%endif
 
 mkdir -p %{buildroot}%{_unitdir}
-# Note that the tests rewrite build/fail2ban.service, but it uses build/ paths before the rewrite
-# so we will do our own modification
-sed -e 's,@BINDIR@,%{_bindir},' files/fail2ban.service.in > %{buildroot}%{_unitdir}/fail2ban.service
+cp -p build/fail2ban.service %{buildroot}%{_unitdir}/
 mkdir -p %{buildroot}%{_mandir}/man{1,5}
 install -p -m 644 man/*.1 %{buildroot}%{_mandir}/man1
 install -p -m 644 man/*.5 %{buildroot}%{_mandir}/man5
@@ -281,7 +310,6 @@ install -m 0600 /dev/null %{buildroot}/run/fail2ban/fail2ban.pid
 install -d -m 0755 %{buildroot}%{_localstatedir}/lib/fail2ban/
 mkdir -p %{buildroot}%{_tmpfilesdir}
 install -p -m 0644 files/fail2ban-tmpfiles.conf %{buildroot}%{_tmpfilesdir}/fail2ban.conf
-mkdir -p %{buildroot}%{_sysconfdir}/%{name}/jail.d
 
 # Remove non-Linux actions
 rm %{buildroot}%{_sysconfdir}/%{name}/action.d/*ipfw.conf
@@ -326,7 +354,17 @@ COMPLETIONDIR=%{buildroot}$(pkg-config --variable=completionsdir bash-completion
 
 
 %check
+%if 0%{?rhel} && 0%{?rhel} < 8
+%python2 bin/fail2ban-testcases --verbosity=2 --no-network
+%else
+%if 0%{?fedora} > 38
+# testRepairDb does not work with sqlite 3.42.0+
+# https://github.com/fail2ban/fail2ban/issues/3586
+%python3 bin/fail2ban-testcases --verbosity=2 --no-network -i testRepairDb
+%else
 %python3 bin/fail2ban-testcases --verbosity=2 --no-network
+%endif
+%endif
 
 
 %pre selinux
@@ -366,8 +404,13 @@ fi
 %{_bindir}/fail2ban-python
 %{_bindir}/fail2ban-regex
 %{_bindir}/fail2ban-server
+%if 0%{?rhel} && 0%{?rhel} < 8
+%{python2_sitelib}/*
+%exclude %{python2_sitelib}/fail2ban/tests
+%else
 %{python3_sitelib}/*
 %exclude %{python3_sitelib}/fail2ban/tests
+%endif
 %{_unitdir}/fail2ban.service
 %{_datadir}/bash-completion/
 %{_mandir}/man1/fail2ban.1*
@@ -403,7 +446,11 @@ fi
 %files tests
 %{_bindir}/fail2ban-testcases
 %{_mandir}/man1/fail2ban-testcases.1*
+%if 0%{?rhel} && 0%{?rhel} < 8
+%{python2_sitelib}/fail2ban/tests
+%else
 %{python3_sitelib}/fail2ban/tests
+%endif
 
 %files mail
 %config(noreplace) %{_sysconfdir}/fail2ban/action.d/complain.conf
@@ -428,34 +475,6 @@ fi
 
 
 %changelog
-* Wed Dec 31 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-15
-- Add patch for Dovecot 2.4 jail. Fixes BZ#2426440.
-
-* Sat Oct 11 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-14
-- Cleanup old conditionals
-
-* Fri Oct 10 2025 Orion Poplawski <orion@nwra.com> - 1.1.0-13
-- Fix paths in fail2ban.service (rhbz#2399981)
-
-* Fri Sep 19 2025 Python Maint <python-maint@redhat.com> - 1.1.0-12
-- Rebuilt for Python 3.14.0rc3 bytecode
-
-* Thu Aug 21 2025 Richard Shaw <hobbes1069@gmail.com> - 1.1.0-11
-- Move from setup.py to wheels per
-  https://fedoraproject.org/wiki/Changes/DeprecateSetuppyMacros.
-
-* Fri Aug 15 2025 Python Maint <python-maint@redhat.com> - 1.1.0-10
-- Rebuilt for Python 3.14.0rc2 bytecode
-
-* Wed Jul 23 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-9
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild
-
-* Tue Jun 03 2025 Python Maint <python-maint@redhat.com> - 1.1.0-8
-- Rebuilt for Python 3.14
-
-* Thu Jan 16 2025 Fedora Release Engineering <releng@fedoraproject.org> - 1.1.0-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
-
 * Thu Dec 19 2024 Orion Poplawski <orion@nwra.com> - 1.1.0-6
 - Add upstream fix for sshd filter (rhbz#2332945)
 

fail2ban.te

@@ -99,12 +99,22 @@ logging_read_syslog_pid(fail2ban_t)
 logging_dontaudit_search_audit_logs(fail2ban_t)
 logging_mmap_generic_logs(fail2ban_t)
 logging_mmap_journal(fail2ban_t)
+allow fail2ban_t fail2ban_log_t:file watch;
+gen_require(`
+        attribute logfile;
+')
+allow fail2ban_t logfile:dir { watch_dir_perms };
+allow fail2ban_t logfile:file { watch_file_perms };
 # Not in EL9 yet
 #logging_watch_audit_log_files(fail2ban_t)
-logging_watch_all_log_files(fail2ban_t)
-logging_watch_all_log_dirs(fail2ban_t)
-logging_watch_audit_log_files(fail2ban_t)
-logging_watch_audit_log_dirs(fail2ban_t)
+gen_require(`
+	type var_log_t, auditd_log_t;
+')
+watch_files_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
+#logging_watch_audit_log_dirs(fail2ban_t)
+allow fail2ban_t var_log_t:dir search_dir_perms;
+watch_dirs_pattern(fail2ban_t, auditd_log_t, auditd_log_t)
+logging_watch_generic_log_dirs(fail2ban_t)
 logging_watch_journal_dir(fail2ban_t)
 
 mta_send_mail(fail2ban_t)