policy/modules/services/denyhosts.te

   1 policy_module(denyhosts, 1.0.0)
   2
   3 ########################################
   4 #
   5 # DenyHosts personal declarations.
   6 #
   7
   8 type denyhosts_t;
   9 type denyhosts_exec_t;
  10 init_daemon_domain(denyhosts_t, denyhosts_exec_t)
  11
  12 type denyhosts_initrc_exec_t;
  13 init_script_file(denyhosts_initrc_exec_t)
  14
  15 type denyhosts_var_lib_t;
  16 files_type(denyhosts_var_lib_t)
  17
  18 type denyhosts_var_lock_t;
  19 files_lock_file(denyhosts_var_lock_t)
  20
  21 type denyhosts_var_log_t;
  22 logging_log_file(denyhosts_var_log_t)
  23
  24 ########################################
  25 #
  26 # DenyHosts personal policy.
  27 #
  28 # Bug #588563
  29 allow denyhosts_t self:capability sys_tty_config;
  30 allow denyhosts_t self:netlink_route_socket create_netlink_socket_perms;
  31 allow denyhosts_t self:tcp_socket create_socket_perms;
  32 allow denyhosts_t self:udp_socket create_socket_perms;
  33
  34 manage_files_pattern(denyhosts_t, denyhosts_var_lib_t, denyhosts_var_lib_t)
  35 files_var_lib_filetrans(denyhosts_t, denyhosts_var_lib_t, file)
  36
  37 manage_dirs_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
  38 manage_files_pattern(denyhosts_t, denyhosts_var_lock_t, denyhosts_var_lock_t)
  39 files_lock_filetrans(denyhosts_t, denyhosts_var_lock_t, { dir file })
  40
  41 append_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
  42 create_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
  43 read_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
  44 setattr_files_pattern(denyhosts_t, denyhosts_var_log_t, denyhosts_var_log_t)
  45 logging_log_filetrans(denyhosts_t, denyhosts_var_log_t, file)
  46
  47 kernel_read_system_state(denyhosts_t)
  48
  49 corecmd_exec_bin(denyhosts_t)
  50
  51 corenet_all_recvfrom_unlabeled(denyhosts_t)
  52 corenet_all_recvfrom_netlabel(denyhosts_t)
  53 corenet_tcp_sendrecv_generic_if(denyhosts_t)
  54 corenet_tcp_sendrecv_generic_node(denyhosts_t)
  55 corenet_tcp_bind_generic_node(denyhosts_t)
  56 corenet_tcp_connect_smtp_port(denyhosts_t)
  57 corenet_tcp_connect_sype_port(denyhosts_t)
  58 corenet_sendrecv_smtp_client_packets(denyhosts_t)
  59
  60 dev_read_urand(denyhosts_t)
  61
  62 files_read_etc_files(denyhosts_t)
  63 files_read_usr_files(denyhosts_t)
  64
  65 # /var/log/secure
  66 logging_read_generic_logs(denyhosts_t)
  67 logging_send_syslog_msg(denyhosts_t)
  68
  69 miscfiles_read_localization(denyhosts_t)
  70
  71 sysnet_dns_name_resolve(denyhosts_t)
  72 sysnet_manage_config(denyhosts_t)
  73 sysnet_etc_filetrans_config(denyhosts_t)
  74
  75 optional_policy(`
  76         cron_system_entry(denyhosts_t, denyhosts_exec_t)
  77 ')
  78
  79 optional_policy(`
  80         gnome_dontaudit_search_config(denyhosts_t)
  81 ')