policy/modules/services/fail2ban.te

   1
   2 policy_module(fail2ban, 1.4.0)
   3
   4 ########################################
   5 #
   6 # Declarations
   7 #
   8
   9 type fail2ban_t;
  10 type fail2ban_exec_t;
  11 init_daemon_domain(fail2ban_t, fail2ban_exec_t)
  12
  13 type fail2ban_initrc_exec_t;
  14 init_script_file(fail2ban_initrc_exec_t)
  15
  16 # log files
  17 type fail2ban_log_t;
  18 logging_log_file(fail2ban_log_t)
  19
  20 type fail2ban_var_lib_t;
  21 files_type(fail2ban_var_lib_t)
  22
  23 # pid files
  24 type fail2ban_var_run_t;
  25 files_pid_file(fail2ban_var_run_t)
  26
  27 ########################################
  28 #
  29 # fail2ban local policy
  30 #
  31
  32 allow fail2ban_t self:capability { sys_tty_config };
  33 allow fail2ban_t self:process signal;
  34 allow fail2ban_t self:fifo_file rw_fifo_file_perms;
  35 allow fail2ban_t self:unix_stream_socket { connectto create_stream_socket_perms };
  36 allow fail2ban_t self:unix_dgram_socket create_socket_perms;
  37 allow fail2ban_t self:tcp_socket create_stream_socket_perms;
  38
  39 # log files
  40 allow fail2ban_t fail2ban_log_t:dir setattr;
  41 manage_files_pattern(fail2ban_t, fail2ban_log_t, fail2ban_log_t)
  42 logging_log_filetrans(fail2ban_t, fail2ban_log_t, file)
  43
  44 manage_dirs_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
  45 manage_files_pattern(fail2ban_t, fail2ban_var_lib_t, fail2ban_var_lib_t)
  46 files_var_lib_filetrans(fail2ban_t, fail2ban_var_lib_t, { dir file })
  47
  48 # pid file
  49 manage_dirs_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  50 manage_sock_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  51 manage_files_pattern(fail2ban_t, fail2ban_var_run_t, fail2ban_var_run_t)
  52 files_pid_filetrans(fail2ban_t, fail2ban_var_run_t, { dir file sock_file })
  53
  54 kernel_read_system_state(fail2ban_t)
  55
  56 corecmd_exec_bin(fail2ban_t)
  57 corecmd_exec_shell(fail2ban_t)
  58
  59 corenet_all_recvfrom_unlabeled(fail2ban_t)
  60 corenet_all_recvfrom_netlabel(fail2ban_t)
  61 corenet_tcp_sendrecv_generic_if(fail2ban_t)
  62 corenet_tcp_sendrecv_generic_node(fail2ban_t)
  63 corenet_tcp_sendrecv_all_ports(fail2ban_t)
  64 corenet_tcp_connect_whois_port(fail2ban_t)
  65 corenet_sendrecv_whois_client_packets(fail2ban_t)
  66
  67 dev_read_urand(fail2ban_t)
  68
  69 domain_use_interactive_fds(fail2ban_t)
  70
  71 files_read_etc_files(fail2ban_t)
  72 files_read_etc_runtime_files(fail2ban_t)
  73 files_read_usr_files(fail2ban_t)
  74 files_list_var(fail2ban_t)
  75 files_search_var_lib(fail2ban_t)
  76
  77 fs_list_inotifyfs(fail2ban_t)
  78 fs_getattr_all_fs(fail2ban_t)
  79
  80 auth_use_nsswitch(fail2ban_t)
  81
  82 logging_read_all_logs(fail2ban_t)
  83 logging_send_syslog_msg(fail2ban_t)
  84
  85 miscfiles_read_localization(fail2ban_t)
  86
  87 mta_send_mail(fail2ban_t)
  88
  89 optional_policy(`
  90         apache_read_log(fail2ban_t)
  91 ')
  92
  93 optional_policy(`
  94         ftp_read_log(fail2ban_t)
  95 ')
  96
  97 optional_policy(`
  98         iptables_domtrans(fail2ban_t)
  99 ')