Thu, 25 Jan 2007
- Added modules:
consolekit (Dan Walsh)
+ fail2ban (Dan Walsh)
* Tue Dec 12 2006 Chris PeBenito <selinux@tresys.com> - 20061212
- Add policy patterns support macros. This changes the behavior of
--- /dev/null
+/usr/bin/fail2ban -- gen_context(system_u:object_r:fail2ban_exec_t,s0)
+/var/log/fail2ban.log -- gen_context(system_u:object_r:fail2ban_log_t,s0)
+/var/run/fail2ban.pid -- gen_context(system_u:object_r:fail2ban_var_run_t,s0)
--- /dev/null
+## <summary>Update firewall filtering to ban IP addresses with too many password failures.</summary>
+
+########################################
+## <summary>
+## Execute a domain transition to run fail2ban.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_domtrans',`
+ gen_require(`
+ type fail2ban_t, fail2ban_exec_t;
+ ')
+
+ domtrans_pattern($1,fail2ban_exec_t,fail2ban_t)
+')
+
+########################################
+## <summary>
+## Allow the specified domain to read fail2ban's log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fail2ban_read_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file { read getattr lock };
+')
+
+########################################
+## <summary>
+## Allow the specified domain to append
+## fail2ban log files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`fail2ban_append_log',`
+ gen_require(`
+ type fail2ban_log_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 fail2ban_log_t:dir list_dir_perms;
+ allow $1 fail2ban_log_t:file append_file_perms;
+')
+
+########################################
+## <summary>
+## Read fail2ban PID files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fail2ban_read_pid_files',`
+ gen_require(`
+ type fail2ban_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 fail2ban_var_run_t:file read_file_perms;
+')
--- /dev/null
+
+policy_module(fail2ban,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type fail2ban_t;
+type fail2ban_exec_t;
+init_daemon_domain(fail2ban_t, fail2ban_exec_t)
+
+# log files
+type fail2ban_log_t;
+logging_log_file(fail2ban_log_t)
+
+# pid files
+type fail2ban_var_run_t;
+files_pid_file(fail2ban_var_run_t)
+
+########################################
+#
+# fail2ban local policy
+#
+
+allow fail2ban_t self:process signal;
+allow fail2ban_t self:fifo_file rw_fifo_file_perms;
+allow fail2ban_t self:unix_stream_socket create_stream_socket_perms;
+
+# log files
+allow fail2ban_t fail2ban_log_t:dir setattr;
+manage_files_pattern(fail2ban_t,fail2ban_log_t,fail2ban_log_t)
+logging_log_filetrans(fail2ban_t,fail2ban_log_t,file)
+
+# pid file
+manage_files_pattern(fail2ban_t,fail2ban_var_run_t,fail2ban_var_run_t)
+files_pid_filetrans(fail2ban_t,fail2ban_var_run_t, file)
+
+kernel_read_system_state(fail2ban_t)
+
+corecmd_search_sbin(fail2ban_t)
+corecmd_exec_bin(fail2ban_t)
+corecmd_exec_shell(fail2ban_t)
+
+dev_read_urand(fail2ban_t)
+
+domain_use_interactive_fds(fail2ban_t)
+
+files_read_etc_files(fail2ban_t)
+files_read_usr_files(fail2ban_t)
+
+libs_use_ld_so(fail2ban_t)
+libs_use_shared_libs(fail2ban_t)
+
+logging_read_generic_logs(fail2ban_t)
+
+miscfiles_read_localization(fail2ban_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_ttys(fail2ban_t)
+ term_dontaudit_use_generic_ptys(fail2ban_t)
+')
+
+optional_policy(`
+ apache_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ ftp_read_log(fail2ban_t)
+')
+
+optional_policy(`
+ iptables_domtrans(fail2ban_t)
+')